From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
Herbert Xu <herbert@gondor.hengli.com.au>
Subject: [ 17/26] crypto: algif - suppress sending source address information in recvmsg
Date: Tue, 23 Apr 2013 14:53:57 -0700 [thread overview]
Message-ID: <20130423215335.137328642@linuxfoundation.org> (raw)
In-Reply-To: <20130423215333.344045754@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@googlemail.com>
commit 72a763d805a48ac8c0bf48fdb510e84c12de51fe upstream.
The current code does not set the msg_namelen member to 0 and therefore
makes net/socket.c leak the local sockaddr_storage variable to userland
-- 128 bytes of kernel stack memory. Fix that.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/algif_hash.c | 2 ++
crypto/algif_skcipher.c | 1 +
2 files changed, 3 insertions(+)
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -161,6 +161,8 @@ static int hash_recvmsg(struct kiocb *un
else if (len < ds)
msg->msg_flags |= MSG_TRUNC;
+ msg->msg_namelen = 0;
+
lock_sock(sk);
if (ctx->more) {
ctx->more = 0;
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -432,6 +432,7 @@ static int skcipher_recvmsg(struct kiocb
long copied = 0;
lock_sock(sk);
+ msg->msg_namelen = 0;
for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
iovlen--, iov++) {
unsigned long seglen = iov->iov_len;
next prev parent reply other threads:[~2013-04-23 22:05 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-23 21:53 [ 00/26] 3.4.42-stable review Greg Kroah-Hartman
2013-04-23 21:53 ` [ 01/26] ARM: Do 15e0d9e37c (ARM: pm: let platforms select cpu_suspend support) properly Greg Kroah-Hartman
2013-04-23 21:53 ` [ 02/26] hrtimer: Dont reinitialize a cpu_base lock on CPU_UP Greg Kroah-Hartman
2013-04-23 21:53 ` [ 03/26] can: sja1000: fix handling on dt properties on little endian systems Greg Kroah-Hartman
2013-04-23 21:53 ` [ 04/26] hugetlbfs: add swap entry check in follow_hugetlb_page() Greg Kroah-Hartman
2013-04-24 23:04 ` Ben Hutchings
2013-04-24 23:23 ` Greg Kroah-Hartman
2013-04-26 11:38 ` Naoya Horiguchi
2013-04-26 11:41 ` Ben Hutchings
2013-04-23 21:53 ` [ 05/26] kernel/signal.c: stop info leak via the tkill and the tgkill syscalls Greg Kroah-Hartman
2013-04-23 21:53 ` [ 06/26] hfsplus: fix potential overflow in hfsplus_file_truncate() Greg Kroah-Hartman
2013-04-23 21:53 ` [ 07/26] KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) Greg Kroah-Hartman
2013-04-23 21:53 ` [ 08/26] KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) Greg Kroah-Hartman
2013-04-23 21:53 ` [ 09/26] KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) Greg Kroah-Hartman
2013-04-23 21:53 ` [ 10/26] KVM: Allow cross page reads and writes from cached translations Greg Kroah-Hartman
2013-04-23 21:53 ` [ 11/26] sched: Convert BUG_ON()s in try_to_wake_up_local() to WARN_ON_ONCE()s Greg Kroah-Hartman
2013-04-23 21:53 ` [ 12/26] ARM: 7696/1: Fix kexec by setting outer_cache.inv_all for Feroceon Greg Kroah-Hartman
2013-04-23 21:53 ` [ 13/26] ARM: 7698/1: perf: fix group validation when using enable_on_exec Greg Kroah-Hartman
2013-04-23 21:53 ` [ 14/26] ath9k_htc: accept 1.x firmware newer than 1.3 Greg Kroah-Hartman
2013-04-23 21:53 ` [ 15/26] ath9k_hw: change AR9580 initvals to fix a stability issue Greg Kroah-Hartman
2013-04-23 21:53 ` [ 16/26] ssb: implement spurious tone avoidance Greg Kroah-Hartman
2013-04-23 21:53 ` Greg Kroah-Hartman [this message]
2013-04-23 21:53 ` [ 18/26] perf: Treat attr.config as u64 in perf_swevent_init() Greg Kroah-Hartman
2013-04-23 21:53 ` [ 19/26] perf/x86: Fix offcore_rsp valid mask for SNB/IVB Greg Kroah-Hartman
2013-04-23 21:54 ` [ 20/26] fbcon: fix locking harder Greg Kroah-Hartman
2013-04-23 21:54 ` [ 21/26] vm: add vm_iomap_memory() helper function Greg Kroah-Hartman
2013-04-23 21:54 ` [ 22/26] vm: convert snd_pcm_lib_mmap_iomem() to vm_iomap_memory() helper Greg Kroah-Hartman
2013-04-23 21:54 ` [ 23/26] vm: convert fb_mmap " Greg Kroah-Hartman
2013-04-23 21:54 ` [ 24/26] vm: convert HPET mmap " Greg Kroah-Hartman
2013-04-23 21:54 ` [ 25/26] vm: convert mtdchar " Greg Kroah-Hartman
2013-04-23 21:54 ` [ 26/26] Btrfs: make sure nbytes are right after log replay Greg Kroah-Hartman
2013-04-24 16:24 ` [ 00/26] 3.4.42-stable review Shuah Khan
2013-04-25 10:41 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130423215335.137328642@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=herbert@gondor.hengli.com.au \
--cc=linux-kernel@vger.kernel.org \
--cc=minipli@googlemail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox