net/dev: fix information leak to userspace

net/dev: fix information leak to userspace

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 976 bytes --]

dev_get_mac_address() does not always initialize whole
structure. Unfortunately, other code copies such structure to
userspace, leaking information. Fix it.

Signed-off-by: Pavel Machek (CIP) <pavel@denx.de>
Cc: stable@kernel.org

diff --git a/net/core/dev.c b/net/core/dev.c
index 6c5967e80132..28283a9eb63a 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -8949,11 +8949,9 @@ int dev_get_mac_address(struct sockaddr *sa, struct net *net, char *dev_name)
 		ret = -ENODEV;
 		goto unlock;
 	}
-	if (!dev->addr_len)
-		memset(sa->sa_data, 0, size);
-	else
-		memcpy(sa->sa_data, dev->dev_addr,
-		       min_t(size_t, size, dev->addr_len));
+	memset(sa->sa_data, 0, size);
+	memcpy(sa->sa_data, dev->dev_addr,
+	       min_t(size_t, size, dev->addr_len));
 	sa->sa_family = dev->type;
 
 unlock:


-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: net/dev: fix information leak to userspace

[Cong Wang]

On Sun, Mar 21, 2021 at 9:34 AM Pavel Machek <pavel@denx.de> wrote:
>
> dev_get_mac_address() does not always initialize whole
> structure. Unfortunately, other code copies such structure to
> userspace, leaking information. Fix it.

Well, most callers already initialize it with a memset() or copy_from_user(),
for example, __tun_chr_ioctl():

        if (cmd == TUNSETIFF || cmd == TUNSETQUEUE ||
            (_IOC_TYPE(cmd) == SOCK_IOC_TYPE && cmd != SIOCGSKNS)) {
                if (copy_from_user(&ifr, argp, ifreq_len))
                        return -EFAULT;
        } else {
                memset(&ifr, 0, sizeof(ifr));
        }

Except tap_ioctl(), but we can just initialize 'sa' there instead of doing
it in dev_get_mac_address().

Thanks.