Re: [PATCH] 8 bytes kernel memory disclosure in AppleTalk getsockname.

From: Eric Dumazet
Date: Wed Aug 26 2009 - 08:36:06 EST


Clement LECIGNE a écrit :
> Hi,
>
> In function atalk_getname(), sockaddr_at is returned in userland without
> zero'ing the "char sat_zero[8]" field. This bug allows user to display 8
> bytes leaked from the kernel stack.
>
> Here is a patch that zero the whole sockaddr_at structure before
> processing it. It should fix this bug.
>
> Signed-off-by: Clément Lecigne <clement.lecigne@xxxxxxxxxx>
> --- linux/net/appletalk/ddp.c 2009-08-26 11:35:59.000000000 +0200
> +++ linux/net/appletalk/ddp.c 2009-08-26 11:36:30.000000000 +0200
> @@ -1241,6 +1241,8 @@ static int atalk_getname(struct socket *
> if (atalk_autobind(sk) < 0)
> return -ENOBUFS;
>
> + memset(&sat, 0, sizeof(struct sockaddr_at));
> +
> *uaddr_len = sizeof(struct sockaddr_at);
>
> if (peer) {
>
Hi Clement

Well, I submitted same patch some weeks ago and I just checked that
it was already in Linus tree.

author Eric Dumazet <eric.dumazet@xxxxxxxxx>
Thu, 6 Aug 2009 02:27:43 +0000 (02:27 +0000)
committer David S. Miller <davem@xxxxxxxxxxxxx>
Thu, 6 Aug 2009 20:08:45 +0000 (13:08 -0700)
commit 3d392475c873c10c10d6d96b94d092a34ebd4791

appletalk: fix atalk_getname() leak

atalk_getname() can leak 8 bytes of kernel memory to user

Signed-off-by: Eric Dumazet <eric.dumazet@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>


Dont worry, it'll be included in upcoming 2.6.31 kernel,
and backported to previous ones as well.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/