From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Mathias Krause <minipli@googlemail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 57/86] dcbnl: fix various netlink info leaks
Date: Tue, 26 Mar 2013 13:21:56 -0400 [thread overview]
Message-ID: <20130326173609.037285459@goodmis.org> (raw)
In-Reply-To: 20130326172059.136127374@goodmis.org
[-- Attachment #1: 0057-dcbnl-fix-various-netlink-info-leaks.patch --]
[-- Type: text/plain, Size: 3570 bytes --]
3.6.11.1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@googlemail.com>
[ Upstream commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0 ]
The dcb netlink interface leaks stack memory in various places:
* perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
copied completely,
* no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
for ieee_pfc structs, etc.,
* the same is true for CEE -- no in-kernel driver fills the whole
struct,
Prevent all of the above stack info leaks by properly initializing the
buffers/structures involved.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/dcb/dcbnl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
index 81f2bb6..eb1b2eb 100644
--- a/net/dcb/dcbnl.c
+++ b/net/dcb/dcbnl.c
@@ -284,6 +284,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlmsghdr *nlh,
if (!netdev->dcbnl_ops->getpermhwaddr)
return -EOPNOTSUPP;
+ memset(perm_addr, 0, sizeof(perm_addr));
netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
return nla_put(skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), perm_addr);
@@ -1042,6 +1043,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
if (ops->ieee_getets) {
struct ieee_ets ets;
+ memset(&ets, 0, sizeof(ets));
err = ops->ieee_getets(netdev, &ets);
if (!err &&
nla_put(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets))
@@ -1050,6 +1052,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
if (ops->ieee_getmaxrate) {
struct ieee_maxrate maxrate;
+ memset(&maxrate, 0, sizeof(maxrate));
err = ops->ieee_getmaxrate(netdev, &maxrate);
if (!err) {
err = nla_put(skb, DCB_ATTR_IEEE_MAXRATE,
@@ -1061,6 +1064,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
if (ops->ieee_getpfc) {
struct ieee_pfc pfc;
+ memset(&pfc, 0, sizeof(pfc));
err = ops->ieee_getpfc(netdev, &pfc);
if (!err &&
nla_put(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc))
@@ -1094,6 +1098,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
/* get peer info if available */
if (ops->ieee_peer_getets) {
struct ieee_ets ets;
+ memset(&ets, 0, sizeof(ets));
err = ops->ieee_peer_getets(netdev, &ets);
if (!err &&
nla_put(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets))
@@ -1102,6 +1107,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
if (ops->ieee_peer_getpfc) {
struct ieee_pfc pfc;
+ memset(&pfc, 0, sizeof(pfc));
err = ops->ieee_peer_getpfc(netdev, &pfc);
if (!err &&
nla_put(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc))
@@ -1280,6 +1286,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
/* peer info if available */
if (ops->cee_peer_getpg) {
struct cee_pg pg;
+ memset(&pg, 0, sizeof(pg));
err = ops->cee_peer_getpg(netdev, &pg);
if (!err &&
nla_put(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg))
@@ -1288,6 +1295,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
if (ops->cee_peer_getpfc) {
struct cee_pfc pfc;
+ memset(&pfc, 0, sizeof(pfc));
err = ops->cee_peer_getpfc(netdev, &pfc);
if (!err &&
nla_put(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc))
--
1.7.10.4
next prev parent reply other threads:[~2013-03-26 17:21 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-26 17:20 [PATCH 00/86] [ANNOUNCE] The new 3.6.11.x short-term extended stable series (stable review) Steven Rostedt
2013-03-26 17:21 ` [PATCH 01/86] sparc: huge_ptep_set_* functions need to call set_huge_pte_at() Steven Rostedt
2013-03-26 17:21 ` [PATCH 02/86] batman-adv: fix random jitter calculation Steven Rostedt
2013-03-26 17:21 ` [PATCH 03/86] inet: Fix kmemleak in tcp_v4/6_syn_recv_sock and dccp_v4/6_request_recv_sock Steven Rostedt
2013-03-26 17:21 ` [PATCH 04/86] net: sched: integer overflow fix Steven Rostedt
2013-03-26 17:21 ` [PATCH 05/86] tcp: fix MSG_SENDPAGE_NOTLAST logic Steven Rostedt
2013-03-26 17:21 ` [PATCH 06/86] tcp: tcp_replace_ts_recent() should not be called from tcp_validate_incoming() Steven Rostedt
2013-03-26 17:21 ` [PATCH 07/86] tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation Steven Rostedt
2013-03-26 17:21 ` [PATCH 08/86] net: prevent setting ttl=0 via IP_TTL Steven Rostedt
2013-03-26 17:21 ` [PATCH 09/86] ipv6: fix the noflags test in addrconf_get_prefix_route Steven Rostedt
2013-03-26 17:21 ` [PATCH 10/86] MAINTAINERS: Stephen Hemminger email change Steven Rostedt
2013-03-26 17:21 ` [PATCH 11/86] ipv6: fix header length calculation in ip6_append_data() Steven Rostedt
2013-03-26 17:21 ` [PATCH 12/86] net: calxedaxgmac: throw away overrun frames Steven Rostedt
2013-03-26 17:21 ` [PATCH 13/86] net/mlx4_en: Fix bridged vSwitch configuration for non SRIOV mode Steven Rostedt
2013-03-26 17:21 ` [PATCH 14/86] net/mlx4_core: Set number of msix vectors under SRIOV mode to firmware defaults Steven Rostedt
2013-03-26 17:21 ` [PATCH 15/86] isdn/gigaset: fix zero size border case in debug dump Steven Rostedt
2013-03-26 17:21 ` [PATCH 16/86] netxen: fix off by one bug in netxen_release_tx_buffer() Steven Rostedt
2013-03-26 17:21 ` [PATCH 17/86] r8169: remove the obsolete and incorrect AMD workaround Steven Rostedt
2013-03-26 17:21 ` [PATCH 18/86] net: loopback: fix a dst refcounting issue Steven Rostedt
2013-03-26 17:21 ` [PATCH 19/86] pktgen: correctly handle failures when adding a device Steven Rostedt
2013-03-26 17:21 ` [PATCH 20/86] ipv6: do not create neighbor entries for local delivery Steven Rostedt
2013-03-26 17:21 ` [PATCH 21/86] via-rhine: Fix bugs in NAPI support Steven Rostedt
2013-03-26 17:21 ` [PATCH 22/86] packet: fix leakage of tx_ring memory Steven Rostedt
2013-03-26 17:21 ` [PATCH 23/86] atm/iphase: rename fregt_t -> ffreg_t Steven Rostedt
2013-03-26 17:21 ` [PATCH 24/86] sctp: refactor sctp_outq_teardown to insure proper re-initalization Steven Rostedt
2013-03-26 17:21 ` [PATCH 25/86] net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree Steven Rostedt
2013-03-26 17:21 ` [PATCH 26/86] net: sctp: sctp_endpoint_free: zero out secret key data Steven Rostedt
2013-03-26 17:21 ` [PATCH 27/86] xen/netback: shutdown the ring if it contains garbage Steven Rostedt
2013-03-26 17:21 ` [PATCH 28/86] xen/netback: dont leak pages on failure in xen_netbk_tx_check_gop Steven Rostedt
2013-03-26 17:21 ` [PATCH 29/86] xen/netback: free already allocated memory on failure in xen_netbk_get_requests Steven Rostedt
2013-03-26 17:21 ` [PATCH 30/86] netback: correct netbk_tx_err to handle wrap around Steven Rostedt
2013-03-26 17:21 ` [PATCH 31/86] tcp: frto should not set snd_cwnd to 0 Steven Rostedt
2013-03-26 17:21 ` [PATCH 32/86] tcp: fix for zero packets_in_flight was too broad Steven Rostedt
2013-03-26 17:21 ` [PATCH 33/86] bridge: Pull ip header into skb->data before looking into ip header Steven Rostedt
2013-03-26 17:21 ` [PATCH 34/86] tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode Steven Rostedt
2013-03-26 17:21 ` [PATCH 35/86] tg3: Fix crc errors on jumbo frame receive Steven Rostedt
2013-03-26 17:21 ` [PATCH 36/86] sunvdc: Fix off-by-one in generic_request() Steven Rostedt
2013-03-26 17:21 ` [PATCH 37/86] bridge: set priority of STP packets Steven Rostedt
2013-03-26 17:21 ` [PATCH 38/86] net: fix infinite loop in __skb_recv_datagram() Steven Rostedt
2013-03-26 17:21 ` [PATCH 39/86] xen-netback: correctly return errors from netbk_count_requests() Steven Rostedt
2013-03-26 17:21 ` [PATCH 40/86] xen-netback: cancel the credit timer when taking the vif down Steven Rostedt
2013-03-26 17:21 ` [PATCH 41/86] net: fix a compile error when SOCK_REFCNT_DEBUG is enabled Steven Rostedt
2013-03-26 17:21 ` [PATCH 42/86] ipv4: fix a bug in ping_err() Steven Rostedt
2013-03-26 17:21 ` [PATCH 43/86] ipv6: use a stronger hash for tcp Steven Rostedt
2013-03-26 17:21 ` [PATCH 44/86] sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Steven Rostedt
2013-03-26 17:21 ` [PATCH 45/86] vlan: adjust vlan_set_encap_proto() for its callers Steven Rostedt
2013-03-26 17:21 ` [PATCH 46/86] l2tp: Restore socket refcount when sendmsg succeeds Steven Rostedt
2013-03-26 17:21 ` [PATCH 47/86] rds: limit the size allocated by rds_message_alloc() Steven Rostedt
2013-03-26 17:21 ` [PATCH 48/86] net: ipv6: Dont purge default router if accept_ra=2 Steven Rostedt
2013-03-26 17:21 ` [PATCH 49/86] tcp: fix double-counted receiver RTT when leaving receiver fast path Steven Rostedt
2013-03-26 17:21 ` [PATCH 50/86] tun: add a missing nf_reset() in tun_net_xmit() Steven Rostedt
2013-03-26 17:21 ` [PATCH 51/86] macvlan: Set IFF_UNICAST_FLT flag to prevent unnecessary promisc mode Steven Rostedt
2013-03-26 17:21 ` [PATCH 52/86] netlabel: fix build problems when CONFIG_IPV6=n Steven Rostedt
2013-03-26 17:21 ` [PATCH 53/86] netlabel: correctly list all the static label mappings Steven Rostedt
2013-03-26 17:21 ` [PATCH 54/86] bridging: fix rx_handlers return code Steven Rostedt
2013-03-26 17:21 ` [PATCH 55/86] ipv6: stop multicast forwarding to process interface scoped addresses Steven Rostedt
2013-03-26 17:21 ` [PATCH 56/86] rtnl: fix info leak on RTM_GETLINK request for VF devices Steven Rostedt
2013-03-26 17:21 ` Steven Rostedt [this message]
2013-03-26 17:21 ` [PATCH 58/86] 6lowpan: Fix endianness issue in is_addr_link_local() Steven Rostedt
2013-03-26 17:21 ` [PATCH 59/86] ipv6: Change skb->data before using icmpv6_notify() to propagate redirect Steven Rostedt
2013-03-26 17:21 ` [PATCH 60/86] mac802154: fix NOHZ local_softirq_pending 08 warning Steven Rostedt
2013-03-26 17:22 ` [PATCH 61/86] sctp: jsctp_sf_eat_sack: fix jprobes function signature mismatch Steven Rostedt
2013-03-26 17:22 ` [PATCH 62/86] macvlan: fix macvlan_get_size() Steven Rostedt
2013-03-26 17:22 ` [PATCH 63/86] tcp: fix incorrect LOCKDROPPEDICMPS counter Steven Rostedt
2013-03-26 17:22 ` [PATCH 64/86] IP_GRE: Fix kernel panic in IP_GRE with GRE csum Steven Rostedt
2013-03-27 4:28 ` Ben Hutchings
2013-03-27 4:35 ` Steven Rostedt
2013-03-26 17:22 ` [PATCH 65/86] ipv4: Remove output route check in ipv4_mtu Steven Rostedt
2013-03-26 17:22 ` [PATCH 66/86] ipv4: Dont update the pmtu on mtu locked routes Steven Rostedt
2013-03-26 17:22 ` [PATCH 67/86] ipv6: Add an error handler for icmp6 Steven Rostedt
2013-03-26 17:22 ` [PATCH 68/86] ipv4: Invalidate the socket cached route on pmtu events if possible Steven Rostedt
2013-03-26 17:22 ` [PATCH 69/86] ipv4: Add a socket release callback for datagram sockets Steven Rostedt
2013-03-26 17:22 ` [PATCH 70/86] ipv4: Fix route refcount on pmtu discovery Steven Rostedt
2013-03-26 17:22 ` [PATCH 71/86] tcp: detect SYN/data drop when F-RTO is disabled Steven Rostedt
2013-03-26 17:22 ` [PATCH 72/86] tcp: fix an infinite loop in tcp_slow_start() Steven Rostedt
2013-03-26 17:22 ` [PATCH 73/86] tcp: dont abort splice() after small transfers Steven Rostedt
2013-03-26 17:22 ` [PATCH 74/86] tcp: splice: fix an infinite loop in tcp_read_sock() Steven Rostedt
2013-03-26 17:22 ` [PATCH 75/86] tcp: fix splice() and tcp collapsing interaction Steven Rostedt
2013-03-26 17:22 ` [PATCH 76/86] net: splice: avoid high order page splitting Steven Rostedt
2013-03-26 17:22 ` [PATCH 77/86] net: splice: fix __splice_segment() Steven Rostedt
2013-03-26 17:22 ` [PATCH 78/86] sparc64: Add missing HAVE_ARCH_TRANSPARENT_HUGEPAGE Steven Rostedt
2013-03-26 17:22 ` [PATCH 79/86] sparc64: Fix gfp_flags setting in tsb_grow() Steven Rostedt
2013-03-26 17:22 ` [PATCH 80/86] xfrm: release neighbor upon dst destruction Steven Rostedt
2013-03-26 17:22 ` [PATCH 81/86] ppp: set qdisc_tx_busylock to avoid LOCKDEP splat Steven Rostedt
2013-03-26 17:22 ` [PATCH 82/86] ipv6: fix race condition regarding dst->expires and dst->from Steven Rostedt
2013-03-26 17:22 ` [PATCH 83/86] ipv4: fix error handling in icmp_protocol Steven Rostedt
2013-03-26 17:22 ` [PATCH 84/86] tcp: fix SYN-data space mis-accounting Steven Rostedt
2013-03-26 17:22 ` [PATCH 85/86] mlx4_en: fix allocation of CPU affinity reverse-map Steven Rostedt
2013-03-28 8:47 ` Amir Vadai
2013-03-26 17:22 ` [PATCH 86/86] team: unsyc the devices addresses when port is removed Steven Rostedt
2013-03-26 17:46 ` [PATCH 00/86] [ANNOUNCE] The new 3.6.11.x short-term extended stable series (stable review) Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130326173609.037285459@goodmis.org \
--to=rostedt@goodmis.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=minipli@googlemail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).