From patchwork Sun Oct 31 17:10:28 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kulikov Vasiliy X-Patchwork-Id: 69725 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 070A41007D3 for ; Mon, 1 Nov 2010 04:11:27 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756253Ab0JaRKg (ORCPT ); Sun, 31 Oct 2010 13:10:36 -0400 Received: from mail-ew0-f46.google.com ([209.85.215.46]:53346 "EHLO mail-ew0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756093Ab0JaRKd (ORCPT ); Sun, 31 Oct 2010 13:10:33 -0400 Received: by mail-ew0-f46.google.com with SMTP id 7so2957744ewy.19 for ; Sun, 31 Oct 2010 10:10:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:subject:date :message-id:x-mailer; bh=yWrEAGk4FktclLn96uW1FVIU4edXyjxH/+7LI+A8jyY=; b=PViB7/+GwG2kJyPdQHkK27gwvyIZw4GH/idyW0BaZl/gRtbRKlycnJu0NYFJDEIaa3 XUCyzFDjkNEhikaIJInNyrW6TPfsKCgKuc3ZbhyCcNxXxX5iNWwuK4QppsXR1xV1nHNp wcOazCX0IrUbewfGfVWkruTQ2yz/eI0Fr+KzA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:subject:date:message-id:x-mailer; b=o7DUYmnGT04iyIb+CXTU2LJ4cjoDbSh9zoEf1dFxRGsIJeFHQK5ZhcGRbrHNEUfGU2 juRrp+B/qfnUSofuJaTayW1KjYpuZYBKq7Yc3WcGJOTCnyDTpBdNSZCtgjXUK1ixlwjE flVDcJVlh5Tb/kcWl95zdgaVh7OauZuQnkWh0= Received: by 10.213.32.199 with SMTP id e7mr1424451ebd.69.1288545032749; Sun, 31 Oct 2010 10:10:32 -0700 (PDT) Received: from localhost (ppp91-77-40-19.pppoe.mtu-net.ru [91.77.40.19]) by mx.google.com with ESMTPS id w20sm3483992eeh.6.2010.10.31.10.10.30 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 31 Oct 2010 10:10:32 -0700 (PDT) From: Vasiliy Kulikov To: kernel-janitors@vger.kernel.org Cc: "David S. Miller" , Jiri Pirko , Eric Dumazet , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 2/3] net: packet: fix information leak to userland Date: Sun, 31 Oct 2010 20:10:28 +0300 Message-Id: <1288545028-16436-1-git-send-email-segooon@gmail.com> X-Mailer: git-send-email 1.7.0.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org packet_getname_spkt() doesn't initialize all members of sa_data field of sockaddr struct if strlen(dev->name) < 13. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. We have to fully fill sa_data with strncpy() instead of strlcpy(). The same with packet_getname(): it doesn't initialize sll_pkttype field of sockaddr_ll. Set it to zero. Signed-off-by: Vasiliy Kulikov --- net/packet/af_packet.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 3616f27..0856a13 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -1719,7 +1719,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, rcu_read_lock(); dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); if (dev) - strlcpy(uaddr->sa_data, dev->name, 15); + strncpy(uaddr->sa_data, dev->name, 14); else memset(uaddr->sa_data, 0, 14); rcu_read_unlock(); @@ -1742,6 +1742,7 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr, sll->sll_family = AF_PACKET; sll->sll_ifindex = po->ifindex; sll->sll_protocol = po->num; + sll->sll_pkttype = 0; rcu_read_lock(); dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex); if (dev) {