[PATCH] econet: 4 byte infoleak to the network

From: Vasiliy Kulikov
Date: Thu Mar 17 2011 - 07:40:28 EST

Next message: Robert Richter: "Re: [PATCH 2/2] oprofile: Add __exit attibute tooprofile_arch_exit() functions"
Previous message: Michal Marek: "Re: [PATCH] KBuild: silence "'scripts/unifdef' is up to date.""
Next in thread: Phil Blundell: "Re: [PATCH] econet: 4 byte infoleak to the network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
x86_64. These bytes are not initialized in the variable 'ah' before
sending 'ah' to the network. This leads to 4 bytes kernel stack
infoleak.

This bug was introduced before the git epoch.

Signed-off-by: Vasiliy Kulikov <segoon@xxxxxxxxxxxx>
---
net/econet/af_econet.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index 0c28263..116d3fd 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -435,10 +435,10 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
udpdest.sin_addr.s_addr = htonl(network | addr.station);
}

+ memset(&ah, 0, sizeof(ah));
ah.port = port;
ah.cb = cb & 0x7f;
ah.code = 2; /* magic */
- ah.pad = 0;

/* tack our header on the front of the iovec */
size = sizeof(struct aunhdr);
--
1.7.0.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Robert Richter: "Re: [PATCH 2/2] oprofile: Add __exit attibute tooprofile_arch_exit() functions"
Previous message: Michal Marek: "Re: [PATCH] KBuild: silence "'scripts/unifdef' is up to date.""
Next in thread: Phil Blundell: "Re: [PATCH] econet: 4 byte infoleak to the network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]