[PATCH] tcp: sysctl interface leaks 16 bytes of kernel memory

[PATCH] tcp: sysctl interface leaks 16 bytes of kernel memory

[Alan Cox]

From: Alan Cox <alan@linux.intel.com>

If the rc_dereference of tcp_fastopen_ctx ever fails then we copy 16 bytes
of kernel stack into the proc result.

Signed-off-by: Alan Cox <alan@linux.intel.com>
---

 net/ipv4/sysctl_net_ipv4.c |    2 ++
 1 file changed, 2 insertions(+)


diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 9205e49..63d4ecc 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -248,6 +248,8 @@ int proc_tcp_fastopen_key(ctl_table *ctl, int write, void __user *buffer,
 	ctxt = rcu_dereference(tcp_fastopen_ctx);
 	if (ctxt)
 		memcpy(user_key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH);
+	else
+		memset(user_key, 0, sizeof(user_key));
 	rcu_read_unlock();
 
 	snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x",

Re: [PATCH] tcp: sysctl interface leaks 16 bytes of kernel memory

[David Miller]

From: Alan Cox <alan@lxorguk.ukuu.org.uk>
Date: Thu, 11 Oct 2012 17:24:14 +0100

> From: Alan Cox <alan@linux.intel.com>
> 
> If the rc_dereference of tcp_fastopen_ctx ever fails then we copy 16 bytes
> of kernel stack into the proc result.
> 
> Signed-off-by: Alan Cox <alan@linux.intel.com>

Applied and queued up for -stable.