From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
Jon Maloy <jon.maloy@ericsson.com>,
Allan Stephens <allan.stephens@windriver.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 18/42] tipc: fix info leaks via msg_name in recv_msg/recv_stream
Date: Mon, 29 Apr 2013 12:02:00 -0700 [thread overview]
Message-ID: <20130429184754.443665186@linuxfoundation.org> (raw)
In-Reply-To: <20130429184752.435249613@linuxfoundation.org>
3.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@googlemail.com>
[ Upstream commit 60085c3d009b0df252547adb336d1ccca5ce52ec ]
The code in set_orig_addr() does not initialize all of the members of
struct sockaddr_tipc when filling the sockaddr info -- namely the union
is only partly filled. This will make recv_msg() and recv_stream() --
the only users of this function -- leak kernel stack memory as the
msg_name member is a local variable in net/socket.c.
Additionally to that both recv_msg() and recv_stream() fail to update
the msg_namelen member to 0 while otherwise returning with 0, i.e.
"success". This is the case for, e.g., non-blocking sockets. This will
lead to a 128 byte kernel stack leak in net/socket.c.
Fix the first issue by initializing the memory of the union with
memset(0). Fix the second one by setting msg_namelen to 0 early as it
will be updated later if we're going to fill the msg_name member.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Allan Stephens <allan.stephens@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/socket.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -806,6 +806,7 @@ static void set_orig_addr(struct msghdr
if (addr) {
addr->family = AF_TIPC;
addr->addrtype = TIPC_ADDR_ID;
+ memset(&addr->addr, 0, sizeof(addr->addr));
addr->addr.id.ref = msg_origport(msg);
addr->addr.id.node = msg_orignode(msg);
addr->addr.name.domain = 0; /* could leave uninitialized */
@@ -920,6 +921,9 @@ static int recv_msg(struct kiocb *iocb,
goto exit;
}
+ /* will be updated in set_orig_addr() if needed */
+ m->msg_namelen = 0;
+
timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
restart:
@@ -1029,6 +1033,9 @@ static int recv_stream(struct kiocb *ioc
goto exit;
}
+ /* will be updated in set_orig_addr() if needed */
+ m->msg_namelen = 0;
+
target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len);
timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
next prev parent reply other threads:[~2013-04-29 19:02 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-29 19:01 [ 00/42] 3.8.11-stable review Greg Kroah-Hartman
2013-04-29 19:01 ` [ 01/42] aio: fix possible invalid memory access when DEBUG is enabled Greg Kroah-Hartman
2013-04-29 19:01 ` [ 02/42] TTY: do not update atime/mtime on read/write Greg Kroah-Hartman
2013-04-30 0:14 ` Simon Kirby
2013-04-30 0:21 ` Greg Kroah-Hartman
2013-04-30 0:36 ` Simon Kirby
2013-04-30 1:37 ` Greg Kroah-Hartman
2013-04-30 23:50 ` Simon Kirby
2013-05-01 0:57 ` Linus Torvalds
2013-05-01 1:41 ` Linus Torvalds
2013-05-01 5:23 ` Jiri Slaby
2013-05-01 13:05 ` Wolfram Gloger
2013-05-02 16:11 ` Simon Kirby
2013-04-29 19:01 ` [ 03/42] TTY: fix atime/mtime regression Greg Kroah-Hartman
2013-04-30 12:02 ` Wolfram Gloger
2013-04-29 19:01 ` [ 04/42] sparc64: Fix race in TLB batch processing Greg Kroah-Hartman
2013-04-29 19:01 ` [ 05/42] atm: update msg_namelen in vcc_recvmsg() Greg Kroah-Hartman
2013-04-29 19:01 ` [ 06/42] ax25: fix info leak via msg_name in ax25_recvmsg() Greg Kroah-Hartman
2013-04-29 19:01 ` [ 07/42] Bluetooth: fix possible info leak in bt_sock_recvmsg() Greg Kroah-Hartman
2013-04-29 19:01 ` [ 08/42] Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg() Greg Kroah-Hartman
2013-04-29 19:01 ` [ 09/42] Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg() Greg Kroah-Hartman
2013-04-29 19:01 ` [ 10/42] caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg() Greg Kroah-Hartman
2013-04-29 19:01 ` [ 11/42] irda: Fix missing msg_namelen update in irda_recvmsg_dgram() Greg Kroah-Hartman
2013-04-29 19:01 ` [ 12/42] iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() Greg Kroah-Hartman
2013-04-29 19:01 ` [ 13/42] l2tp: fix info leak in l2tp_ip6_recvmsg() Greg Kroah-Hartman
2013-04-29 19:01 ` [ 14/42] llc: Fix missing msg_namelen update in llc_ui_recvmsg() Greg Kroah-Hartman
2013-04-29 19:01 ` [ 15/42] netrom: fix info leak via msg_name in nr_recvmsg() Greg Kroah-Hartman
2013-04-29 19:01 ` [ 16/42] NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg() Greg Kroah-Hartman
2013-04-29 19:01 ` [ 17/42] rose: fix info leak via msg_name in rose_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` Greg Kroah-Hartman [this message]
2013-04-29 19:02 ` [ 19/42] cbq: incorrect processing of high limits Greg Kroah-Hartman
2013-04-29 19:02 ` [ 20/42] net IPv6 : Fix broken IPv6 routing table after loopback down-up Greg Kroah-Hartman
2013-04-29 19:02 ` [ 21/42] net: count hw_addr syncs so that unsync works properly Greg Kroah-Hartman
2013-04-29 19:02 ` [ 22/42] atl1e: limit gso segment size to prevent generation of wrong ip length fields Greg Kroah-Hartman
2013-04-29 19:02 ` [ 23/42] bonding: fix bonding_masters race condition in bond unloading Greg Kroah-Hartman
2013-04-29 19:02 ` [ 24/42] bonding: IFF_BONDING is not stripped on enslave failure Greg Kroah-Hartman
2013-04-29 19:02 ` [ 25/42] bonding: fix l23 and l34 load balancing in forwarding path Greg Kroah-Hartman
2013-04-29 19:02 ` [ 26/42] af_unix: If we dont care about credentials coallesce all messages Greg Kroah-Hartman
2013-04-29 19:02 ` [ 27/42] netfilter: dont reset nf_trace in nf_reset() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 28/42] ipv6/tcp: Stop processing ICMPv6 redirect messages Greg Kroah-Hartman
2013-04-29 19:02 ` [ 29/42] rtnetlink: Call nlmsg_parse() with correct header length Greg Kroah-Hartman
2013-04-29 19:02 ` [ 30/42] tcp: incoming connections might use wrong route under synflood Greg Kroah-Hartman
2013-04-29 19:02 ` [ 31/42] tcp: Reallocate headroom if it would overflow csum_start Greg Kroah-Hartman
2013-04-29 19:02 ` [ 32/42] net: mvmdio: add select PHYLIB Greg Kroah-Hartman
2013-04-29 19:02 ` [ 33/42] esp4: fix error return code in esp_output() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 34/42] net: mvneta: fix improper tx queue usage in mvneta_tx() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 35/42] net: cdc_mbim: remove bogus sizeof() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 36/42] tcp: call tcp_replace_ts_recent() from tcp_ack() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 37/42] net: rate-limit warn-bad-offload splats Greg Kroah-Hartman
2013-04-29 19:02 ` [ 38/42] net: fix incorrect credentials passing Greg Kroah-Hartman
2013-04-29 19:02 ` [ 39/42] net: drop dst before queueing fragments Greg Kroah-Hartman
2013-04-29 19:02 ` [ 40/42] tracing: Fix selftest function recursion accounting Greg Kroah-Hartman
2013-04-29 19:02 ` [ 41/42] ARM: 7699/1: sched_clock: Add more notrace to prevent recursion Greg Kroah-Hartman
2013-04-29 19:02 ` [ 42/42] ARM: 7692/1: iop3xx: move IOP3XX_PERIPHERAL_VIRT_BASE Greg Kroah-Hartman
2013-04-30 1:54 ` [ 00/42] 3.8.11-stable review Shuah Khan
2013-04-30 1:54 ` Shuah Khan
2013-04-30 2:02 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130429184754.443665186@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=allan.stephens@windriver.com \
--cc=davem@davemloft.net \
--cc=jon.maloy@ericsson.com \
--cc=linux-kernel@vger.kernel.org \
--cc=minipli@googlemail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.