From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 47/48] dcbnl: fix various netlink info leaks
Date: Mon, 18 Mar 2013 14:08:55 -0700 [thread overview]
Message-ID: <20130318210813.566011616@linuxfoundation.org> (raw)
In-Reply-To: <20130318210810.247845918@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@googlemail.com>
[ Upstream commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0 ]
The dcb netlink interface leaks stack memory in various places:
* perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
copied completely,
* no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
for ieee_pfc structs, etc.,
* the same is true for CEE -- no in-kernel driver fills the whole
struct,
Prevent all of the above stack info leaks by properly initializing the
buffers/structures involved.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/dcb/dcbnl.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/dcb/dcbnl.c
+++ b/net/dcb/dcbnl.c
@@ -336,6 +336,7 @@ static int dcbnl_getperm_hwaddr(struct n
dcb->dcb_family = AF_UNSPEC;
dcb->cmd = DCB_CMD_GPERM_HWADDR;
+ memset(perm_addr, 0, sizeof(perm_addr));
netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr),
@@ -1238,6 +1239,7 @@ static int dcbnl_ieee_fill(struct sk_buf
if (ops->ieee_getets) {
struct ieee_ets ets;
+ memset(&ets, 0, sizeof(ets));
err = ops->ieee_getets(netdev, &ets);
if (!err)
NLA_PUT(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets);
@@ -1245,6 +1247,7 @@ static int dcbnl_ieee_fill(struct sk_buf
if (ops->ieee_getpfc) {
struct ieee_pfc pfc;
+ memset(&pfc, 0, sizeof(pfc));
err = ops->ieee_getpfc(netdev, &pfc);
if (!err)
NLA_PUT(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc);
@@ -1277,6 +1280,7 @@ static int dcbnl_ieee_fill(struct sk_buf
/* get peer info if available */
if (ops->ieee_peer_getets) {
struct ieee_ets ets;
+ memset(&ets, 0, sizeof(ets));
err = ops->ieee_peer_getets(netdev, &ets);
if (!err)
NLA_PUT(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets);
@@ -1284,6 +1288,7 @@ static int dcbnl_ieee_fill(struct sk_buf
if (ops->ieee_peer_getpfc) {
struct ieee_pfc pfc;
+ memset(&pfc, 0, sizeof(pfc));
err = ops->ieee_peer_getpfc(netdev, &pfc);
if (!err)
NLA_PUT(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc);
@@ -1463,6 +1468,7 @@ static int dcbnl_cee_fill(struct sk_buff
/* peer info if available */
if (ops->cee_peer_getpg) {
struct cee_pg pg;
+ memset(&pg, 0, sizeof(pg));
err = ops->cee_peer_getpg(netdev, &pg);
if (!err)
NLA_PUT(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg);
@@ -1470,6 +1476,7 @@ static int dcbnl_cee_fill(struct sk_buff
if (ops->cee_peer_getpfc) {
struct cee_pfc pfc;
+ memset(&pfc, 0, sizeof(pfc));
err = ops->cee_peer_getpfc(netdev, &pfc);
if (!err)
NLA_PUT(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc);
next prev parent reply other threads:[~2013-03-18 21:08 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-18 21:08 [ 00/48] 3.4.37-stable review Greg Kroah-Hartman
2013-03-18 21:08 ` [ 01/48] qcaux: add Franklin U600 Greg Kroah-Hartman
2013-03-18 21:08 ` [ 02/48] xen/pciback: Dont disable a PCI device that is already disabled Greg Kroah-Hartman
2013-03-18 21:08 ` [ 03/48] virtio: rng: disallow multiple device registrations, fixes crashes Greg Kroah-Hartman
2013-03-18 21:08 ` [ 04/48] USB: option: add Huawei E5331 Greg Kroah-Hartman
2013-03-18 21:08 ` [ 05/48] USB: cdc-wdm: fix buffer overflow Greg Kroah-Hartman
2013-03-18 21:08 ` [ 06/48] usb: cp210x new Vendor/Device IDs Greg Kroah-Hartman
2013-03-18 21:08 ` [ 07/48] USB: added support for Cinterions products AH6 and PLS8 Greg Kroah-Hartman
2013-03-18 21:08 ` [ 08/48] usb: serial: Add Rigblaster Advantage to device table Greg Kroah-Hartman
2013-03-18 21:08 ` [ 09/48] USB: storage: fix Huawei mode switching regression Greg Kroah-Hartman
2013-03-18 21:08 ` [ 10/48] USB: EHCI: dont check DMA values in QH overlays Greg Kroah-Hartman
2013-03-18 21:08 ` [ 11/48] staging: vt6656: Fix oops on resume from suspend Greg Kroah-Hartman
2013-03-18 21:08 ` [ 12/48] signal: always clear sa_restorer on execve Greg Kroah-Hartman
2013-03-18 21:08 ` [ 13/48] ext3: Fix format string issues Greg Kroah-Hartman
2013-03-18 21:08 ` [ 14/48] serial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi-I/O Controller Greg Kroah-Hartman
2013-03-18 21:08 ` [ 15/48] tty: serial: fix typo "ARCH_S5P6450" Greg Kroah-Hartman
2013-03-18 21:08 ` [ 16/48] TTY: do not reset masters packet mode Greg Kroah-Hartman
2013-03-18 21:08 ` [ 17/48] perf,x86: fix kernel crash with PEBS/BTS after suspend/resume Greg Kroah-Hartman
2013-03-18 21:08 ` [ 18/48] ALSA: seq: Fix missing error handling in snd_seq_timer_open() Greg Kroah-Hartman
2013-03-18 21:08 ` [ 19/48] hwmon: (pmbus/ltc2978) Fix temperature reporting Greg Kroah-Hartman
2013-03-18 21:08 ` [ 20/48] hwmon: (lineage-pem) Add missing terminating entry for pem_[input|fan]_attributes Greg Kroah-Hartman
2013-03-18 21:08 ` [ 21/48] w1: fix oops when w1_search is called from netlink connector Greg Kroah-Hartman
2013-03-18 21:08 ` [ 22/48] powerpc: Fix STAB initialization Greg Kroah-Hartman
2013-03-18 21:08 ` [ 23/48] powerpc: Fix cputable entry for 970MP rev 1.0 Greg Kroah-Hartman
2013-03-18 21:08 ` [ 24/48] selinux: use GFP_ATOMIC under spin_lock Greg Kroah-Hartman
2013-03-18 21:08 ` [ 25/48] perf,x86: fix wrmsr_on_cpu() warning on suspend/resume Greg Kroah-Hartman
2013-03-18 21:08 ` [ 26/48] perf,x86: fix link failure for non-Intel configs Greg Kroah-Hartman
2013-03-18 21:08 ` [ 27/48] s390: critical section cleanup vs. machine checks Greg Kroah-Hartman
2013-03-18 21:08 ` [ 28/48] s390/mm: fix flush_tlb_kernel_range() Greg Kroah-Hartman
2013-03-18 21:08 ` [ 29/48] btrfs: use rcu_barrier() to wait for bdev puts at unmount Greg Kroah-Hartman
2013-03-18 21:08 ` [ 30/48] atmel_lcdfb: fix 16-bpp modes on older SOCs Greg Kroah-Hartman
2013-03-18 21:08 ` [ 31/48] drm/i915: EBUSY status handling added to i915_gem_fault() Greg Kroah-Hartman
2013-03-18 21:08 ` [ 32/48] hwmon: (sht15) Fix memory leak if regulator_enable() fails Greg Kroah-Hartman
2013-03-18 21:08 ` [ 33/48] block: use i_size_write() in bd_set_size() Greg Kroah-Hartman
2013-03-18 21:08 ` [ 34/48] loopdev: fix a deadlock Greg Kroah-Hartman
2013-03-18 21:08 ` [ 35/48] loopdev: remove an user triggerable oops Greg Kroah-Hartman
2013-03-18 21:08 ` [ 36/48] drm/i915: Increase the RC6p threshold Greg Kroah-Hartman
2013-03-18 21:08 ` [ 37/48] l2tp: Restore socket refcount when sendmsg succeeds Greg Kroah-Hartman
2013-03-18 21:08 ` [ 38/48] rds: limit the size allocated by rds_message_alloc() Greg Kroah-Hartman
2013-03-18 21:08 ` [ 39/48] net: ipv6: Dont purge default router if accept_ra=2 Greg Kroah-Hartman
2013-03-18 21:08 ` [ 40/48] tcp: fix double-counted receiver RTT when leaving receiver fast path Greg Kroah-Hartman
2013-03-18 21:08 ` [ 41/48] tun: add a missing nf_reset() in tun_net_xmit() Greg Kroah-Hartman
2013-03-18 21:08 ` [ 42/48] macvlan: Set IFF_UNICAST_FLT flag to prevent unnecessary promisc mode Greg Kroah-Hartman
2013-03-18 21:08 ` [ 43/48] netlabel: correctly list all the static label mappings Greg Kroah-Hartman
2013-03-18 21:08 ` [ 44/48] bridging: fix rx_handlers return code Greg Kroah-Hartman
2013-03-18 21:08 ` [ 45/48] ipv6: stop multicast forwarding to process interface scoped addresses Greg Kroah-Hartman
2013-03-18 21:08 ` [ 46/48] rtnl: fix info leak on RTM_GETLINK request for VF devices Greg Kroah-Hartman
2013-03-18 21:08 ` Greg Kroah-Hartman [this message]
2013-03-18 21:08 ` [ 48/48] 6lowpan: Fix endianness issue in is_addr_link_local() Greg Kroah-Hartman
2013-03-19 0:50 ` [ 00/48] 3.4.37-stable review Shuah Khan
2013-03-19 0:57 ` Parag Warudkar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130318210813.566011616@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=minipli@googlemail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).