[29/44] net: clear heap allocations for privileged ethtool actions

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
	akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
	Kees Cook <kees.cook@canonical.com>,
	Ben Hutchings <bhutchings@solarflare.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [29/44] net: clear heap allocations for privileged ethtool actions
Date: Tue, 07 Dec 2010 16:04:28 -0800	[thread overview]
Message-ID: <20101208000642.468707494@clark.site> (raw)
In-Reply-To: <20101208003205.GA4286@kroah.com>

2.6.27-stable review patch.  If anyone has any objections, please let us know.

------------------


From: Kees Cook <kees.cook@canonical.com>

[ Upstream commit b00916b189d13a615ff05c9242201135992fcda3 ]

Several other ethtool functions leave heap uncleared (potentially) by
drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
are well controlled. In some situations (e.g. unchecked error conditions),
the heap will remain unchanged in areas before copying back to userspace.
Note that these are less of an issue since these all require CAP_NET_ADMIN.

Cc: stable@kernel.org
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 net/core/ethtool.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -256,7 +256,7 @@ static int ethtool_get_regs(struct net_d
 	if (regs.len > reglen)
 		regs.len = reglen;
 
-	regbuf = kmalloc(reglen, GFP_USER);
+	regbuf = kzalloc(reglen, GFP_USER);
 	if (!regbuf)
 		return -ENOMEM;

next prev parent reply	other threads:[~2010-12-08  0:38 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-12-08  0:32 [00/44] 2.6.27.57-stable review Greg KH
2010-12-08  0:04 ` [01/44] block: check for proper length of iov entries in blk_rq_map_user_iov() Greg KH
2010-12-08  0:04 ` [02/44] irda: Fix parameter extraction stack overflow Greg KH
2010-12-08  0:04 ` [03/44] irda: Fix heap memory corruption in iriap.c Greg KH
2010-12-08  0:04 ` [04/44] percpu: fix list_head init bug in __percpu_counter_init() Greg KH
2010-12-08  0:04 ` [05/44] um: fix global timer issue when using CONFIG_NO_HZ Greg KH
2010-12-08  0:04 ` [06/44] numa: fix slab_node(MPOL_BIND) Greg KH
2010-12-08  3:03   ` Lee Schermerhorn
2010-12-08  3:03   ` Lee Schermerhorn
2010-12-08  4:17     ` Greg KH
2010-12-08  4:37       ` Eric Dumazet
2010-12-08 13:54       ` Lee Schermerhorn
2010-12-08  4:33     ` Eric Dumazet
2010-12-08  5:07       ` Eric Dumazet
2010-12-08 13:53       ` Lee Schermerhorn
2010-12-08  0:04 ` [07/44] mm: fix return value of scan_lru_pages in memory unplug Greg KH
2010-12-08  0:04 ` [08/44] mm: fix is_mem_section_removable() page_order BUG_ON check Greg KH
2010-12-08  0:04 ` [09/44] ipc: initialize structure memory to zero for compat functions Greg KH
2010-12-08  0:04 ` [10/44] ipc: shm: fix information leak to userland Greg KH
2010-12-08  0:04 ` [11/44] sys_semctl: fix kernel stack leakage Greg KH
2010-12-08  0:04 ` [12/44] drivers/char/vt_ioctl.c: fix VT_OPENQRY error value Greg KH
2010-12-08  0:04 ` [13/44] eCryptfs: Clear LOOKUP_OPEN flag when creating lower file Greg KH
2010-12-08  0:04 ` [14/44] bio: take care not overflow page count when mapping/copying user data Greg KH
2010-12-08  0:04 ` [15/44] libata: fix NULL sdev dereference race in atapi_qc_complete() Greg KH
2010-12-08  0:04 ` [16/44] usb: misc: sisusbvga: fix information leak to userland Greg KH
2010-12-08  0:04 ` [17/44] usb: misc: iowarrior: " Greg KH
2010-12-08  0:04 ` [18/44] usb: core: " Greg KH
2010-12-08  0:04 ` [19/44] USB: EHCI: fix obscure race in ehci_endpoint_disable Greg KH
2010-12-08  0:04 ` [20/44] USB: storage: sierra_ms: fix sysfs file attribute Greg KH
2010-12-08  0:04 ` [21/44] USB: atm: ueagle-atm: fix up some permissions on the sysfs files Greg KH
2010-12-08  0:04 ` [22/44] USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions Greg KH
2010-12-08  0:04 ` [23/44] USB: misc: usbled: " Greg KH
2010-12-08  0:04 ` [24/44] USB: misc: trancevibrator: fix up a sysfs attribute permission Greg KH
2010-12-08  0:04 ` [25/44] acpi-cpufreq: fix a memleak when unloading driver Greg KH
2010-12-08  0:04 ` [26/44] do_exit(): make sure that we run with get_fs() == USER_DS Greg KH
2010-12-08  0:04 ` [27/44] DECnet: dont leak uninitialized stack byte Greg KH
2010-12-08  0:04 ` [28/44] ARM: 6482/2: Fix find_next_zero_bit and related assembly Greg KH
2010-12-08  0:04 ` Greg KH [this message]
2010-12-08  0:04 ` [30/44] xfrm4: strip ECN and IP Precedence bits in policy lookup Greg KH
2010-12-08  0:04 ` [31/44] net: Fix IPv6 PMTU disc. w/ asymmetric routes Greg KH
2010-12-08  0:04 ` [32/44] rose: Fix signedness issues wrt. digi count Greg KH
2010-12-08  0:04 ` [33/44] net: Fix the condition passed to sk_wait_event() Greg KH
2010-12-08  0:04 ` [34/44] Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows Greg KH
2010-12-08  1:22   ` Linus Torvalds
2010-12-08  4:16     ` Greg KH
2010-12-08  5:50       ` Eric Dumazet
2010-12-08 16:25         ` David Miller
2010-12-08 23:13           ` Greg KH
2010-12-08  0:04 ` [35/44] tcp: Fix race in tcp_poll Greg KH
2010-12-08  0:04 ` [36/44] net: Truncate recvfrom and sendto length to INT_MAX Greg KH
2010-12-08  0:04 ` [37/44] ipv6: conntrack: Add member of user to nf_ct_frag6_queue structure Greg KH
2010-12-08  0:04 ` [38/44] x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet Greg KH
2010-12-08  0:04 ` [39/44] memory corruption in X.25 facilities parsing Greg KH
2010-12-08  0:04 ` [40/44] can-bcm: fix minor heap overflow Greg KH
2010-12-08  0:04 ` [41/44] V4L/DVB: ivtvfb: prevent reading uninitialized stack memory Greg KH
2010-12-08  0:04 ` [42/44] x25: Prevent crashing when parsing bad X.25 facilities Greg KH
2010-12-08  0:04 ` [43/44] econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849 Greg KH
2010-12-08  0:04 ` [44/44] econet: fix CVE-2010-3850 Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20101208000642.468707494@clark.site \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=bhutchings@solarflare.com \
    --cc=davem@davemloft.net \
    --cc=kees.cook@canonical.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable-review@kernel.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox