Re: net/dev: fix information leak to userspace
From: Cong Wang
Date: Sun Mar 21 2021 - 21:08:50 EST
On Sun, Mar 21, 2021 at 9:34 AM Pavel Machek <pavel@xxxxxxx> wrote:
>
> dev_get_mac_address() does not always initialize whole
> structure. Unfortunately, other code copies such structure to
> userspace, leaking information. Fix it.
Well, most callers already initialize it with a memset() or copy_from_user(),
for example, __tun_chr_ioctl():
if (cmd == TUNSETIFF || cmd == TUNSETQUEUE ||
(_IOC_TYPE(cmd) == SOCK_IOC_TYPE && cmd != SIOCGSKNS)) {
if (copy_from_user(&ifr, argp, ifreq_len))
return -EFAULT;
} else {
memset(&ifr, 0, sizeof(ifr));
}
Except tap_ioctl(), but we can just initialize 'sa' there instead of doing
it in dev_get_mac_address().
Thanks.