| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 07 Jun 2013 07:35:00 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: Willy Tarreau <w@....eu>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Marcel Holtmann <marcel@...tmann.org>,
Gustavo Padovan <gustavo@...ovan.org>,
Johan Hedberg <johan.hedberg@...il.com>,
Mathias Krause <minipli@...glemail.com>,
"David S. Miller" <davem@...emloft.net>
Subject: Re: [ 102/184] Bluetooth: fix possible info leak in
On Tue, 2013-06-04 at 19:23 +0200, Willy Tarreau wrote:
> 2.6.32-longterm review patch. If anyone has any objections, please let me know.
>
> ------------------
> bt_sock_recvmsg()
>
> From: Mathias Krause <minipli@...glemail.com>
commit 4683f42fde3977bdb4e8a09622788cc8b5313778 upstream.
> In case the socket is already shutting down, bt_sock_recvmsg() returns
> with 0 without updating msg_namelen leading to net/socket.c leaking the
> local, uninitialized sockaddr_storage variable to userland -- 128 bytes
> of kernel stack memory.
>
> Fix this by moving the msg_namelen assignment in front of the shutdown
> test.
>
> Cc: Marcel Holtmann <marcel@...tmann.org>
> Cc: Gustavo Padovan <gustavo@...ovan.org>
> Cc: Johan Hedberg <johan.hedberg@...il.com>
> Signed-off-by: Mathias Krause <minipli@...glemail.com>
> Signed-off-by: David S. Miller <davem@...emloft.net>
> [dannf: adjusted to apply to Debian's 2.6.32]
> Signed-off-by: Willy Tarreau <w@....eu>
> ---
> net/bluetooth/af_bluetooth.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
> index 8cfb5a8..d7239dd 100644
> --- a/net/bluetooth/af_bluetooth.c
> +++ b/net/bluetooth/af_bluetooth.c
> @@ -240,14 +240,14 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
> if (flags & (MSG_OOB))
> return -EOPNOTSUPP;
>
> + msg->msg_namelen = 0;
> +
> if (!(skb = skb_recv_datagram(sk, flags, noblock, &err))) {
> if (sk->sk_shutdown & RCV_SHUTDOWN)
> return 0;
> return err;
> }
>
> - msg->msg_namelen = 0;
> -
> copied = skb->len;
> if (len < copied) {
> msg->msg_flags |= MSG_TRUNC;
--
Ben Hutchings
Theory and practice are closer in theory than in practice.
- John Levine, moderator of comp.compilers
Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)
Powered by blists - more mailing lists