From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
Herbert Xu <herbert@gondor.hengli.com.au>
Subject: [ 17/26] crypto: algif - suppress sending source address information in recvmsg
Date: Tue, 23 Apr 2013 14:53:57 -0700 [thread overview]
Message-ID: <20130423215335.137328642@linuxfoundation.org> (raw)
In-Reply-To: <20130423215333.344045754@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@googlemail.com>
commit 72a763d805a48ac8c0bf48fdb510e84c12de51fe upstream.
The current code does not set the msg_namelen member to 0 and therefore
makes net/socket.c leak the local sockaddr_storage variable to userland
-- 128 bytes of kernel stack memory. Fix that.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/algif_hash.c | 2 ++
crypto/algif_skcipher.c | 1 +
2 files changed, 3 insertions(+)
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -161,6 +161,8 @@ static int hash_recvmsg(struct kiocb *un
else if (len < ds)
msg->msg_flags |= MSG_TRUNC;
+ msg->msg_namelen = 0;
+
lock_sock(sk);
if (ctx->more) {
ctx->more = 0;
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -432,6 +432,7 @@ static int skcipher_recvmsg(struct kiocb
long copied = 0;
lock_sock(sk);
+ msg->msg_namelen = 0;
for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
iovlen--, iov++) {
unsigned long seglen = iov->iov_len;
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: [ 17/26] crypto: algif - suppress sending source address information in recvmsg
Date: Tue, 23 Apr 2013 14:53:57 -0700 [thread overview]
Message-ID: <20130423215335.137328642@linuxfoundation.org> (raw)
In-Reply-To: <20130423215333.344045754@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@googlemail.com>
commit 72a763d805a48ac8c0bf48fdb510e84c12de51fe upstream.
The current code does not set the msg_namelen member to 0 and therefore
makes net/socket.c leak the local sockaddr_storage variable to userland
-- 128 bytes of kernel stack memory. Fix that.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/algif_hash.c | 2 ++
crypto/algif_skcipher.c | 1 +
2 files changed, 3 insertions(+)
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -161,6 +161,8 @@ static int hash_recvmsg(struct kiocb *un
else if (len < ds)
msg->msg_flags |= MSG_TRUNC;
+ msg->msg_namelen = 0;
+
lock_sock(sk);
if (ctx->more) {
ctx->more = 0;
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -432,6 +432,7 @@ static int skcipher_recvmsg(struct kiocb
long copied = 0;
lock_sock(sk);
+ msg->msg_namelen = 0;
for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
iovlen--, iov++) {
unsigned long seglen = iov->iov_len;
next prev parent reply other threads:[~2013-04-23 22:05 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-23 21:53 [ 00/26] 3.4.42-stable review Greg Kroah-Hartman
2013-04-23 21:53 ` [ 01/26] ARM: Do 15e0d9e37c (ARM: pm: let platforms select cpu_suspend support) properly Greg Kroah-Hartman
2013-04-23 21:53 ` [ 02/26] hrtimer: Dont reinitialize a cpu_base lock on CPU_UP Greg Kroah-Hartman
2013-04-23 21:53 ` [ 03/26] can: sja1000: fix handling on dt properties on little endian systems Greg Kroah-Hartman
2013-04-23 21:53 ` [ 04/26] hugetlbfs: add swap entry check in follow_hugetlb_page() Greg Kroah-Hartman
2013-04-24 23:04 ` Ben Hutchings
2013-04-24 23:23 ` Greg Kroah-Hartman
2013-04-26 11:38 ` Naoya Horiguchi
2013-04-26 11:41 ` Ben Hutchings
2013-04-23 21:53 ` [ 05/26] kernel/signal.c: stop info leak via the tkill and the tgkill syscalls Greg Kroah-Hartman
2013-04-23 21:53 ` [ 06/26] hfsplus: fix potential overflow in hfsplus_file_truncate() Greg Kroah-Hartman
2013-04-23 21:53 ` [ 07/26] KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) Greg Kroah-Hartman
2013-04-23 21:53 ` [ 08/26] KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) Greg Kroah-Hartman
2013-04-23 21:53 ` [ 09/26] KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) Greg Kroah-Hartman
2013-04-23 21:53 ` [ 10/26] KVM: Allow cross page reads and writes from cached translations Greg Kroah-Hartman
2013-04-23 21:53 ` [ 11/26] sched: Convert BUG_ON()s in try_to_wake_up_local() to WARN_ON_ONCE()s Greg Kroah-Hartman
2013-04-23 21:53 ` [ 12/26] ARM: 7696/1: Fix kexec by setting outer_cache.inv_all for Feroceon Greg Kroah-Hartman
2013-04-23 21:53 ` [ 13/26] ARM: 7698/1: perf: fix group validation when using enable_on_exec Greg Kroah-Hartman
2013-04-23 21:53 ` [ 14/26] ath9k_htc: accept 1.x firmware newer than 1.3 Greg Kroah-Hartman
2013-04-23 21:53 ` [ 15/26] ath9k_hw: change AR9580 initvals to fix a stability issue Greg Kroah-Hartman
2013-04-23 21:53 ` [ 16/26] ssb: implement spurious tone avoidance Greg Kroah-Hartman
2013-04-23 21:53 ` Greg Kroah-Hartman [this message]
2013-04-23 21:53 ` [ 17/26] crypto: algif - suppress sending source address information in recvmsg Greg Kroah-Hartman
2013-04-23 21:53 ` [ 18/26] perf: Treat attr.config as u64 in perf_swevent_init() Greg Kroah-Hartman
2013-04-23 21:53 ` [ 19/26] perf/x86: Fix offcore_rsp valid mask for SNB/IVB Greg Kroah-Hartman
2013-04-23 21:54 ` [ 20/26] fbcon: fix locking harder Greg Kroah-Hartman
2013-04-23 21:54 ` [ 21/26] vm: add vm_iomap_memory() helper function Greg Kroah-Hartman
2013-04-23 21:54 ` [ 22/26] vm: convert snd_pcm_lib_mmap_iomem() to vm_iomap_memory() helper Greg Kroah-Hartman
2013-04-23 21:54 ` [ 23/26] vm: convert fb_mmap " Greg Kroah-Hartman
2013-04-23 21:54 ` [ 24/26] vm: convert HPET mmap " Greg Kroah-Hartman
2013-04-23 21:54 ` [ 25/26] vm: convert mtdchar " Greg Kroah-Hartman
2013-04-23 21:54 ` [ 26/26] Btrfs: make sure nbytes are right after log replay Greg Kroah-Hartman
2013-04-24 16:24 ` [ 00/26] 3.4.42-stable review Shuah Khan
2013-04-24 16:24 ` Shuah Khan
2013-04-25 10:41 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130423215335.137328642@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=herbert@gondor.hengli.com.au \
--cc=linux-kernel@vger.kernel.org \
--cc=minipli@googlemail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.