[PATCH] 8 bytes kernel memory disclosure in AppleTalk getsockname.

From: Clement LECIGNE
Date: Wed Aug 26 2009 - 07:35:31 EST

Next message: Joachim Fenkes: "[PATCH] IB/ehca: Construct MAD redirect replies from request MAD"
Previous message: Ryo Tsuruta: "IO controller Mini-Summit 2009"
Next in thread: Tetsuo Handa: "Re: [PATCH] 8 bytes kernel memory disclosure in AppleTalk getsockname."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

In function atalk_getname(), sockaddr_at is returned in userland without
zero'ing the "char sat_zero[8]" field. This bug allows user to display 8
bytes leaked from the kernel stack.

Here is a patch that zero the whole sockaddr_at structure before
processing it. It should fix this bug.

Signed-off-by: Clément Lecigne <clement.lecigne@xxxxxxxxxx>
--- linux/net/appletalk/ddp.c 2009-08-26 11:35:59.000000000 +0200
+++ linux/net/appletalk/ddp.c 2009-08-26 11:36:30.000000000 +0200
@@ -1241,6 +1241,8 @@ static int atalk_getname(struct socket *
if (atalk_autobind(sk) < 0)
return -ENOBUFS;

+ memset(&sat, 0, sizeof(struct sockaddr_at));
+
*uaddr_len = sizeof(struct sockaddr_at);

if (peer) {

--
Clément LECIGNE,
-Only one remote hole in the default install, in more than 10 years!<br>
+Only two remote holes in the default install, in more than 10 years!<br>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Joachim Fenkes: "[PATCH] IB/ehca: Construct MAD redirect replies from request MAD"
Previous message: Ryo Tsuruta: "IO controller Mini-Summit 2009"
Next in thread: Tetsuo Handa: "Re: [PATCH] 8 bytes kernel memory disclosure in AppleTalk getsockname."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]