From patchwork Thu Mar 17 11:40:10 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vasiliy Kulikov <segoon@openwall.com>
X-Patchwork-Id: 87364
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id BE3D7B6FD4
	for <patchwork-incoming@ozlabs.org>;
	Thu, 17 Mar 2011 22:40:43 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753988Ab1CQLkS (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 17 Mar 2011 07:40:18 -0400
Received: from mail-fx0-f46.google.com ([209.85.161.46]:61367 "EHLO
	mail-fx0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751846Ab1CQLkR (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 17 Mar 2011 07:40:17 -0400
Received: by fxm17 with SMTP id 17so2585711fxm.19
	for <multiple recipients>; Thu, 17 Mar 2011 04:40:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:sender:from:to:cc:subject:date:message-id
	:x-mailer; bh=EOPFlCODN6EX1XbE5aTOOgNm2zNMNsIPD6BOKp3UaZ0=;
	b=LJdddSLRYd+OXjw6nNENTgTofYjz3VuSVP0QFRLF/RcvW/rNOdjj4TluJN7dC/FZc3
	9tto65wqQ8RjY8ITdrTyecWJ5tR35ctJ6WXqPml9DhAEPMrYmgVz2My8fQjOaOFX0eIi
	c3gfqeNsxCmfxJUNHGzODmFTSl3C7AWUcGHeM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=sender:from:to:cc:subject:date:message-id:x-mailer;
	b=tcInRMwf8wFMFqCLf8QQ1+xOJm6aP9KvNjuuPQSwxriHg87CJ24weogCafWCx4zRnx
	V3SacPtJ3YxxHBtw7AA5y2t25wEcwKPn19byBqL19vY1WfUT/zcmJ4E0uJfN4uO4elxp
	99P1IgDtO1MCM9I+RD3Hcq6mCAr4V44nx887U=
Received: by 10.223.81.79 with SMTP id w15mr1373651fak.12.1300362015649;
	Thu, 17 Mar 2011 04:40:15 -0700 (PDT)
Received: from localhost (ppp85-140-22-166.pppoe.mtu-net.ru [85.140.22.166])
	by mx.google.com with ESMTPS id
	o17sm874705fal.1.2011.03.17.04.40.13
	(version=TLSv1/SSLv3 cipher=OTHER);
	Thu, 17 Mar 2011 04:40:14 -0700 (PDT)
From: Vasiliy Kulikov <segoon@openwall.com>
To: linux-kernel@vger.kernel.org
Cc: security@kernel.org, "David S. Miller" <davem@davemloft.net>,
	Phil Blundell <philb@gnu.org>, Eric Dumazet <eric.dumazet@gmail.com>,
	Tejun Heo <tj@kernel.org>, Nelson Elhage <nelhage@ksplice.com>,
	netdev@vger.kernel.org
Subject: [PATCH] econet: 4 byte infoleak to the network
Date: Thu, 17 Mar 2011 14:40:10 +0300
Message-Id: <1300362011-8653-1-git-send-email-segoon@openwall.com>
X-Mailer: git-send-email 1.7.0.4
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
x86_64.  These bytes are not initialized in the variable 'ah' before
sending 'ah' to the network.  This leads to 4 bytes kernel stack
infoleak.

This bug was introduced before the git epoch.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Phil Blundell <philb@gnu.org>
---
 net/econet/af_econet.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index 0c28263..116d3fd 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -435,10 +435,10 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
 		udpdest.sin_addr.s_addr = htonl(network | addr.station);
 	}
 
+	memset(&ah, 0, sizeof(ah));
 	ah.port = port;
 	ah.cb = cb & 0x7f;
 	ah.code = 2;		/* magic */
-	ah.pad = 0;
 
 	/* tack our header on the front of the iovec */
 	size = sizeof(struct aunhdr);