This is a note to let you know that I've just added the patch titled dcbnl: fix various netlink info leaks to the 3.0-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: dcbnl-fix-various-netlink-info-leaks.patch and it can be found in the queue-3.0 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 3512fe006b6a98f2138f8b7aeb1285ff5dd06402 Mon Sep 17 00:00:00 2001 From: Mathias Krause <minipli@xxxxxxxxxxxxxx> Date: Sat, 9 Mar 2013 05:52:21 +0000 Subject: dcbnl: fix various netlink info leaks From: Mathias Krause <minipli@xxxxxxxxxxxxxx> [ Upstream commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0 ] The dcb netlink interface leaks stack memory in various places: * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but copied completely, * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes for ieee_pfc structs, etc., * the same is true for CEE -- no in-kernel driver fills the whole struct, Prevent all of the above stack info leaks by properly initializing the buffers/structures involved. Signed-off-by: Mathias Krause <minipli@xxxxxxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/dcb/dcbnl.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/net/dcb/dcbnl.c +++ b/net/dcb/dcbnl.c @@ -335,6 +335,7 @@ static int dcbnl_getperm_hwaddr(struct n dcb->dcb_family = AF_UNSPEC; dcb->cmd = DCB_CMD_GPERM_HWADDR; + memset(perm_addr, 0, sizeof(perm_addr)); netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr); ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), @@ -1311,6 +1312,7 @@ static int dcbnl_ieee_get(struct net_dev if (ops->ieee_getets) { struct ieee_ets ets; + memset(&ets, 0, sizeof(ets)); err = ops->ieee_getets(netdev, &ets); if (!err) NLA_PUT(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets); @@ -1318,6 +1320,7 @@ static int dcbnl_ieee_get(struct net_dev if (ops->ieee_getpfc) { struct ieee_pfc pfc; + memset(&pfc, 0, sizeof(pfc)); err = ops->ieee_getpfc(netdev, &pfc); if (!err) NLA_PUT(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc); @@ -1344,6 +1347,7 @@ static int dcbnl_ieee_get(struct net_dev /* get peer info if available */ if (ops->ieee_peer_getets) { struct ieee_ets ets; + memset(&ets, 0, sizeof(ets)); err = ops->ieee_peer_getets(netdev, &ets); if (!err) NLA_PUT(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets); @@ -1351,6 +1355,7 @@ static int dcbnl_ieee_get(struct net_dev if (ops->ieee_peer_getpfc) { struct ieee_pfc pfc; + memset(&pfc, 0, sizeof(pfc)); err = ops->ieee_peer_getpfc(netdev, &pfc); if (!err) NLA_PUT(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc); @@ -1551,6 +1556,7 @@ static int dcbnl_cee_get(struct net_devi /* get peer info if available */ if (ops->cee_peer_getpg) { struct cee_pg pg; + memset(&pg, 0, sizeof(pg)); err = ops->cee_peer_getpg(netdev, &pg); if (!err) NLA_PUT(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg); @@ -1558,6 +1564,7 @@ static int dcbnl_cee_get(struct net_devi if (ops->cee_peer_getpfc) { struct cee_pfc pfc; + memset(&pfc, 0, sizeof(pfc)); err = ops->cee_peer_getpfc(netdev, &pfc); if (!err) NLA_PUT(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc); Patches currently in stable-queue which might be from minipli@xxxxxxxxxxxxxx are queue-3.0/dcbnl-fix-various-netlink-info-leaks.patch queue-3.0/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html