| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 16 Nov 2013 06:43:44 +0100
From: Hannes Frederic Sowa <hannes@...essinduktion.org>
To: mpb <mpb.mail@...il.com>
Cc: netdev@...r.kernel.org
Subject: [PATCH] socket: don't return uninitialized addresses on concurrent socket shutdown
If a blocking read waits on a socket which gets concurrently shut down we
return 0 as error and so indicate success to the socket functions which
thus copy an uninitialized stack allocated address back to the user.
Fix this by clearing the 128 byte size (on x86-64) address first.
This patch fixes the problem for recvfrom, recvmsg and recvmmsg.
Reported-by: mpb <mpb.mail@...il.com>
Signed-off-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
---
net/socket.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/socket.c b/net/socket.c
index c226ace..44499db 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1834,6 +1834,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
if (!sock)
goto out;
+ memset(&address, 0, sizeof(address));
msg.msg_control = NULL;
msg.msg_controllen = 0;
msg.msg_iovlen = 1;
@@ -2228,6 +2229,8 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
uaddr = (__force void __user *)msg_sys->msg_name;
uaddr_len = COMPAT_NAMELEN(msg);
+ if (uaddr != NULL)
+ memset(&addr, 0, sizeof(addr));
if (MSG_CMSG_COMPAT & flags) {
err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
} else
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists