This is a note to let you know that I've just added the patch titled
llc: fix info leak via getsockname()
to the 3.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
llc-fix-info-leak-via-getsockname.patch
and it can be found in the queue-3.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From f917ecb33ee2815b2d0ba711a11ad94c88ad4669 Mon Sep 17 00:00:00 2001
From: Mathias Krause <[email protected]>
Date: Wed, 15 Aug 2012 11:31:53 +0000
Subject: llc: fix info leak via getsockname()
From: Mathias Krause <[email protected]>
[ Upstream commit 3592aaeb80290bda0f2cf0b5456c97bfc638b192 ]
The LLC code wrongly returns 0, i.e. "success", when the socket is
zapped. Together with the uninitialized uaddrlen pointer argument from
sys_getsockname this leads to an arbitrary memory leak of up to 128
bytes kernel stack via the getsockname() syscall.
Return an error instead when the socket is zapped to prevent the info
leak. Also remove the unnecessary memset(0). We don't directly write to
the memory pointed by uaddr but memcpy() a local structure at the end of
the function that is properly initialized.
Signed-off-by: Mathias Krause <[email protected]>
Cc: Arnaldo Carvalho de Melo <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/llc/af_llc.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -971,14 +971,13 @@ static int llc_ui_getname(struct socket
struct sockaddr_llc sllc;
struct sock *sk = sock->sk;
struct llc_sock *llc = llc_sk(sk);
- int rc = 0;
+ int rc = -EBADF;
memset(&sllc, 0, sizeof(sllc));
lock_sock(sk);
if (sock_flag(sk, SOCK_ZAPPED))
goto out;
*uaddrlen = sizeof(sllc);
- memset(uaddr, 0, *uaddrlen);
if (peer) {
rc = -ENOTCONN;
if (sk->sk_state != TCP_ESTABLISHED)
Patches currently in stable-queue which might be from [email protected] are
queue-3.4/ipvs-fix-info-leak-in-getsockopt-ip_vs_so_get_timeout.patch
queue-3.4/bluetooth-rfcomm-fix-info-leak-via-getsockname.patch
queue-3.4/bluetooth-hci-fix-info-leak-in-getsockopt-hci_filter.patch
queue-3.4/bluetooth-hci-fix-info-leak-via-getsockname.patch
queue-3.4/atm-fix-info-leak-in-getsockopt-so_atmpvc.patch
queue-3.4/llc-fix-info-leak-via-getsockname.patch
queue-3.4/net-fix-info-leak-in-compat-dev_ifconf.patch
queue-3.4/bluetooth-rfcomm-fix-info-leak-in-getsockopt-bt_security.patch
queue-3.4/atm-fix-info-leak-via-getsockname.patch
queue-3.4/bluetooth-l2cap-fix-info-leak-via-getsockname.patch
queue-3.4/dccp-fix-info-leak-via-getsockopt-dccp_sockopt_ccid_tx_info.patch
queue-3.4/bluetooth-rfcomm-fix-info-leak-in-ioctl-rfcommgetdevlist.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
