From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1031532Ab2I1UIo (ORCPT ); Fri, 28 Sep 2012 16:08:44 -0400 Received: from mail-pb0-f46.google.com ([209.85.160.46]:63006 "EHLO mail-pb0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758763Ab2I1SyY (ORCPT ); Fri, 28 Sep 2012 14:54:24 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg KH , alan@lxorguk.ukuu.org.uk, Mathias Krause , Marcel Holtmann , Gustavo Padovan , Johan Hedberg , "David S. Miller" Subject: [ 015/262] Bluetooth: RFCOMM - Fix info leak in getsockopt(BT_SECURITY) Date: Fri, 28 Sep 2012 11:49:04 -0700 Message-Id: <20120928182959.743358708@linuxfoundation.org> X-Mailer: git-send-email 1.7.10.1.362.g242cab3 In-Reply-To: <20120928182957.993484211@linuxfoundation.org> References: <20120928182957.993484211@linuxfoundation.org> User-Agent: quilt/0.60-2.1.2 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Greg KH 3.5-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mathias Krause [ Upstream commit 9ad2de43f1aee7e7274a4e0d41465489299e344b ] The RFCOMM code fails to initialize the key_size member of struct bt_security before copying it to userland -- that for leaking one byte kernel stack. Initialize key_size with 0 to avoid the info leak. Signed-off-by: Mathias Krause Cc: Marcel Holtmann Cc: Gustavo Padovan Cc: Johan Hedberg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/rfcomm/sock.c | 1 + 1 file changed, 1 insertion(+) --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -841,6 +841,7 @@ static int rfcomm_sock_getsockopt(struct } sec.level = rfcomm_pi(sk)->sec_level; + sec.key_size = 0; len = min_t(unsigned int, len, sizeof(sec)); if (copy_to_user(optval, (char *) &sec, len))