From 5a2d0282931967dc9d90248221b3120e1e33551c Mon Sep 17 00:00:00 2001 From: Xiaolong Huang Date: Wed, 3 Nov 2021 23:33:55 +0800 Subject: [PATCH] net: ppp: pppoe: fix a kernel-infoleak in pppoe_getname() The struct sockaddr_pppox has a 2-byte hole, and pppoe_getname() currently does not clear it before copying kernel data to user space. Signed-off-by: Xiaolong Huang --- drivers/net/ppp/pppoe.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c index 3619520340b7..fec328ad7202 100644 --- a/drivers/net/ppp/pppoe.c +++ b/drivers/net/ppp/pppoe.c @@ -723,6 +723,11 @@ static int pppoe_getname(struct socket *sock, struct sockaddr *uaddr, int len = sizeof(struct sockaddr_pppox); struct sockaddr_pppox sp; + /* There is an anonymous 2-byte hole after sa_family, + * make sure to clear it. + */ + memset(&sp, 0, len); + sp.sa_family = AF_PPPOX; sp.sa_protocol = PX_PROTO_OE; memcpy(&sp.sa_addr.pppoe, &pppox_sk(sock->sk)->pppoe_pa, -- 2.25.1