Bug 196533

Summary: kernel stack infoleaks
Product: Networking Reporter: zhh (sohu0106)
Component: OtherAssignee: Stephen Hemminger (stephen)
Status: NEW ---    
Severity: low CC: sohu0106
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.12.2 Subsystem:
Regression: No Bisected commit-id:

Description zhh 2017-07-30 05:13:08 UTC 
bug in net/irda/af_irda.c  


Sometimes irda_getsockopt() doesn't initialize all members of list field of irda_device_list struct.  This structure is then copied to
userland.  It leads to leaking of contents of kernel stack memory.  We have to initialize them to zero , or it will allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure  



https://github.com/torvalds/linux/pull/440
Comment 1 zhh 2017-08-01 13:17:04 UTC 
patch

2  net/irda/af_irda.c
@@ -2248,6 +2248,8 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
 			err = -EINVAL;
 			goto out;
 		}
+			
+		memset( &list, 0, sizeof(struct irda_device_list) );
 
 		/* Ask lmp for the current discovery log */
 		discoveries = irlmp_get_discoveries(&list.len, self->mask.word,