From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
Lauro Ramos Venancio <lauro.venancio@openbossa.org>,
Aloisio Almeida Jr <aloisio.almeida@openbossa.org>,
Samuel Ortiz <sameo@linux.intel.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 14/34] NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()
Date: Mon, 29 Apr 2013 12:02:21 -0700 [thread overview]
Message-ID: <20130429184702.509549397@linuxfoundation.org> (raw)
In-Reply-To: <20130429184700.845644077@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@googlemail.com>
[ Upstream commit d26d6504f23e803824e8ebd14e52d4fc0a0b09cb ]
The code in llcp_sock_recvmsg() does not initialize all the members of
struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it
initialize the padding bytes of the structure inserted by the compiler
for alignment.
Also, if the socket is in state LLCP_CLOSED or is shutting down during
receive the msg_namelen member is not updated to 0 while otherwise
returning with 0, i.e. "success". The msg_namelen update is also
missing for stream and seqpacket sockets which don't fill the sockaddr
info.
Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.
Fix the first issue by initializing the memory used for sockaddr info
with memset(0). Fix the second one by setting msg_namelen to 0 early.
It will be updated later if we're going to fill the msg_name member.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
Cc: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/llcp/sock.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/nfc/llcp/sock.c
+++ b/net/nfc/llcp/sock.c
@@ -514,6 +514,8 @@ static int llcp_sock_recvmsg(struct kioc
pr_debug("%p %zu\n", sk, len);
+ msg->msg_namelen = 0;
+
lock_sock(sk);
if (sk->sk_state == LLCP_CLOSED &&
next prev parent reply other threads:[~2013-04-29 19:02 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-29 19:02 [ 00/34] 3.4.43-stable review Greg Kroah-Hartman
2013-04-29 19:02 ` [ 01/34] aio: fix possible invalid memory access when DEBUG is enabled Greg Kroah-Hartman
2013-04-29 19:02 ` [ 02/34] TTY: do not update atime/mtime on read/write Greg Kroah-Hartman
2013-04-29 19:02 ` [ 03/34] TTY: fix atime/mtime regression Greg Kroah-Hartman
2013-04-29 19:02 ` [ 04/34] sparc64: Fix race in TLB batch processing Greg Kroah-Hartman
2013-04-29 19:02 ` [ 05/34] atm: update msg_namelen in vcc_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 06/34] ax25: fix info leak via msg_name in ax25_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 07/34] Bluetooth: fix possible info leak in bt_sock_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 08/34] Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 09/34] caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 10/34] irda: Fix missing msg_namelen update in irda_recvmsg_dgram() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 11/34] iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 12/34] llc: Fix missing msg_namelen update in llc_ui_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 13/34] netrom: fix info leak via msg_name in nr_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` Greg Kroah-Hartman [this message]
2013-04-29 19:02 ` [ 15/34] rose: fix info leak via msg_name in rose_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 16/34] tipc: fix info leaks via msg_name in recv_msg/recv_stream Greg Kroah-Hartman
2013-04-29 19:02 ` [ 17/34] netrom: fix invalid use of sizeof in nr_recvmsg() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 18/34] cbq: incorrect processing of high limits Greg Kroah-Hartman
2013-04-29 19:02 ` [ 19/34] net IPv6 : Fix broken IPv6 routing table after loopback down-up Greg Kroah-Hartman
2013-04-29 19:02 ` [ 20/34] net: count hw_addr syncs so that unsync works properly Greg Kroah-Hartman
2013-04-29 19:02 ` [ 21/34] atl1e: limit gso segment size to prevent generation of wrong ip length fields Greg Kroah-Hartman
2013-04-29 19:02 ` [ 22/34] bonding: fix bonding_masters race condition in bond unloading Greg Kroah-Hartman
2013-04-29 19:02 ` [ 23/34] bonding: IFF_BONDING is not stripped on enslave failure Greg Kroah-Hartman
2013-04-29 19:02 ` [ 24/34] af_unix: If we dont care about credentials coallesce all messages Greg Kroah-Hartman
2013-04-29 19:02 ` [ 25/34] netfilter: dont reset nf_trace in nf_reset() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 26/34] rtnetlink: Call nlmsg_parse() with correct header length Greg Kroah-Hartman
2013-04-29 19:02 ` [ 27/34] tcp: incoming connections might use wrong route under synflood Greg Kroah-Hartman
2013-04-29 19:02 ` [ 28/34] tcp: Reallocate headroom if it would overflow csum_start Greg Kroah-Hartman
2013-04-29 19:02 ` [ 29/34] esp4: fix error return code in esp_output() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 30/34] net: sctp: sctp_auth_key_put: use kzfree instead of kfree Greg Kroah-Hartman
2013-04-29 19:02 ` [ 31/34] tcp: call tcp_replace_ts_recent() from tcp_ack() Greg Kroah-Hartman
2013-04-29 19:02 ` [ 32/34] net: rate-limit warn-bad-offload splats Greg Kroah-Hartman
2013-04-29 19:02 ` [ 33/34] net: fix incorrect credentials passing Greg Kroah-Hartman
2013-04-29 19:02 ` [ 34/34] net: drop dst before queueing fragments Greg Kroah-Hartman
2013-04-30 1:54 ` [ 00/34] 3.4.43-stable review Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130429184702.509549397@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aloisio.almeida@openbossa.org \
--cc=davem@davemloft.net \
--cc=lauro.venancio@openbossa.org \
--cc=linux-kernel@vger.kernel.org \
--cc=minipli@googlemail.com \
--cc=sameo@linux.intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox