Bug 196533 - kernel stack infoleaks
Summary: kernel stack infoleaks
Status: NEW
Alias: None
Product: Networking
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 low
Assignee: Stephen Hemminger
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-30 05:13 UTC by zhh
Modified: 2017-08-01 13:17 UTC (History)
1 user (show)

See Also:
Kernel Version: 4.12.2
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description zhh 2017-07-30 05:13:08 UTC 
bug in net/irda/af_irda.c  


Sometimes irda_getsockopt() doesn't initialize all members of list field of irda_device_list struct.  This structure is then copied to
userland.  It leads to leaking of contents of kernel stack memory.  We have to initialize them to zero , or it will allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure  



https://github.com/torvalds/linux/pull/440
Comment 1 zhh 2017-08-01 13:17:04 UTC 
patch

2  net/irda/af_irda.c
@@ -2248,6 +2248,8 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
 			err = -EINVAL;
 			goto out;
 		}
+			
+		memset( &list, 0, sizeof(struct irda_device_list) );
 
 		/* Ask lmp for the current discovery log */
 		discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
Note You need to log in before you can comment on or make changes to this bug.