From patchwork Tue Jul 26 18:51:03 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 106905 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id BD54BB6F83 for ; Wed, 27 Jul 2011 04:51:23 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Qlmil-0002ol-9i; Tue, 26 Jul 2011 18:51:11 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Qlmih-0002lG-Bz for kernel-team@lists.ubuntu.com; Tue, 26 Jul 2011 18:51:07 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1Qlmig-0002hV-4M for ; Tue, 26 Jul 2011 18:51:06 +0000 Received: from [85.210.144.167] (helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1Qlmig-0002ZV-0L for kernel-team@lists.ubuntu.com; Tue, 26 Jul 2011 18:51:06 +0000 From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [lucid/fsl-imx51, maverick/ti-omap4 CVE 1/1] Bluetooth: sco: fix information leak to userspace Date: Tue, 26 Jul 2011 19:51:03 +0100 Message-Id: <1311706263-14144-3-git-send-email-apw@canonical.com> X-Mailer: git-send-email 1.7.4.1 In-Reply-To: <1311706263-14144-1-git-send-email-apw@canonical.com> References: <1311706263-14144-1-git-send-email-apw@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com From: Vasiliy Kulikov struct sco_conninfo has one padding byte in the end. Local variable cinfo of type sco_conninfo is copied to userspace with this uninizialized one byte, leading to old stack contents leak. Signed-off-by: Vasiliy Kulikov Signed-off-by: Gustavo F. Padovan (cherry picked from commit c4c896e1471aec3b004a693c689f60be3b17ac86) CVE-2011-1078 BugLink: http://bugs.launchpad.net/bugs/816542 Signed-off-by: Andy Whitcroft --- net/bluetooth/sco.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 6e9c6e5..28b3d56 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -705,6 +705,7 @@ static int sco_sock_getsockopt_old(struct socket *sock, int optname, char __user break; } + memset(&cinfo, 0, sizeof(cinfo)); cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle; memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);