net: amend the fix for SO_BSDCOMPAT gsopt infoleak

From: Eugene Teo
Date: Mon Feb 23 2009 - 11:41:40 EST

Next message: Christoph Lameter: "Re: [PATCH 04/20] Convert gfp_zone() to use a table of precalculatedvalue"
Previous message: Nick Kossifidis: "Re: [TIP] BUG kmalloc-4096: Poison overwritten (ath5k_rx_skb_alloc)"
Next in thread: David Miller: "Re: net: amend the fix for SO_BSDCOMPAT gsopt infoleak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note
that the same problem of leaking kernel memory will reappear if someone
on some architecture uses struct timeval with some internal padding (for
example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to
leak the padded bytes to userspace.

Signed-off-by: Eugene Teo <eugeneteo@xxxxxxxxx>
Reported-by: Mikulas Patocka <mpatocka@xxxxxxxxxx>

diff --git a/net/core/sock.c b/net/core/sock.c
index 6f2e133..913c95f 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -696,7 +696,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
if (len < 0)
return -EINVAL;

- v.val = 0;
+ memset(&v, 0, sizeof(v));

switch(optname) {
case SO_DEBUG:
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christoph Lameter: "Re: [PATCH 04/20] Convert gfp_zone() to use a table of precalculatedvalue"
Previous message: Nick Kossifidis: "Re: [TIP] BUG kmalloc-4096: Poison overwritten (ath5k_rx_skb_alloc)"
Next in thread: David Miller: "Re: net: amend the fix for SO_BSDCOMPAT gsopt infoleak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]