| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <lsq.1465842997.562582840@decadent.org.uk>
Date: Mon, 13 Jun 2016 19:36:37 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC: akpm@...ux-foundation.org, "Pavel Emelyanov" <xemul@...allels.com>,
"David S. Miller" <davem@...emloft.net>,
"Mathias Krause" <minipli@...glemail.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
"Pavel Emelyanov" <xemul@...tuozzo.com>
Subject: [PATCH 3.16 024/114] packet: fix heap info leak in
PACKET_DIAG_MCLIST sock_diag interface
3.16.36-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@...glemail.com>
commit 309cf37fe2a781279b7675d4bb7173198e532867 upstream.
Because we miss to wipe the remainder of i->addr[] in packet_mc_add(),
pdiag_put_mclist() leaks uninitialized heap bytes via the
PACKET_DIAG_MCLIST netlink attribute.
Fix this by explicitly memset(0)ing the remaining bytes in i->addr[].
Fixes: eea68e2f1a00 ("packet: Report socket mclist info via diag module")
Signed-off-by: Mathias Krause <minipli@...glemail.com>
Cc: Eric W. Biederman <ebiederm@...ssion.com>
Cc: Pavel Emelyanov <xemul@...allels.com>
Acked-by: Pavel Emelyanov <xemul@...tuozzo.com>
Signed-off-by: David S. Miller <davem@...emloft.net>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
net/packet/af_packet.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3155,6 +3155,7 @@ static int packet_mc_add(struct sock *sk
i->ifindex = mreq->mr_ifindex;
i->alen = mreq->mr_alen;
memcpy(i->addr, mreq->mr_address, i->alen);
+ memset(i->addr + i->alen, 0, sizeof(i->addr) - i->alen);
i->count = 1;
i->next = po->mclist;
po->mclist = i;
Powered by blists - more mailing lists