This is a note to let you know that I've just added the patch titled
NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()
to the 3.8-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
nfc-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_recvmsg.patch
and it can be found in the queue-3.8 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From ce595833d47a3c40c292d044b7f4fc555b129787 Mon Sep 17 00:00:00 2001
From: Mathias Krause <minipli@xxxxxxxxxxxxxx>
Date: Sun, 7 Apr 2013 01:51:58 +0000
Subject: NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()
From: Mathias Krause <minipli@xxxxxxxxxxxxxx>
[ Upstream commit d26d6504f23e803824e8ebd14e52d4fc0a0b09cb ]
The code in llcp_sock_recvmsg() does not initialize all the members of
struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it
initialize the padding bytes of the structure inserted by the compiler
for alignment.
Also, if the socket is in state LLCP_CLOSED or is shutting down during
receive the msg_namelen member is not updated to 0 while otherwise
returning with 0, i.e. "success". The msg_namelen update is also
missing for stream and seqpacket sockets which don't fill the sockaddr
info.
Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.
Fix the first issue by initializing the memory used for sockaddr info
with memset(0). Fix the second one by setting msg_namelen to 0 early.
It will be updated later if we're going to fill the msg_name member.
Signed-off-by: Mathias Krause <minipli@xxxxxxxxxxxxxx>
Cc: Lauro Ramos Venancio <lauro.venancio@xxxxxxxxxxxxx>
Cc: Aloisio Almeida Jr <aloisio.almeida@xxxxxxxxxxxxx>
Cc: Samuel Ortiz <sameo@xxxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/nfc/llcp/sock.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/nfc/llcp/sock.c
+++ b/net/nfc/llcp/sock.c
@@ -644,6 +644,8 @@ static int llcp_sock_recvmsg(struct kioc
pr_debug("%p %zu\n", sk, len);
+ msg->msg_namelen = 0;
+
lock_sock(sk);
if (sk->sk_state == LLCP_CLOSED &&
@@ -684,6 +686,7 @@ static int llcp_sock_recvmsg(struct kioc
pr_debug("Datagram socket %d %d\n", ui_cb->dsap, ui_cb->ssap);
+ memset(&sockaddr, 0, sizeof(sockaddr));
sockaddr.sa_family = AF_NFC;
sockaddr.nfc_protocol = NFC_PROTO_NFC_DEP;
sockaddr.dsap = ui_cb->dsap;
Patches currently in stable-queue which might be from minipli@xxxxxxxxxxxxxx are
queue-3.8/irda-fix-missing-msg_namelen-update-in-irda_recvmsg_dgram.patch
queue-3.8/bluetooth-rfcomm-fix-missing-msg_namelen-update-in-rfcomm_sock_recvmsg.patch
queue-3.8/llc-fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
queue-3.8/nfc-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_recvmsg.patch
queue-3.8/atm-update-msg_namelen-in-vcc_recvmsg.patch
queue-3.8/iucv-fix-missing-msg_namelen-update-in-iucv_sock_recvmsg.patch
queue-3.8/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
queue-3.8/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_stream.patch
queue-3.8/netrom-fix-info-leak-via-msg_name-in-nr_recvmsg.patch
queue-3.8/caif-fix-missing-msg_namelen-update-in-caif_seqpkt_recvmsg.patch
queue-3.8/l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
queue-3.8/bluetooth-sco-fix-missing-msg_namelen-update-in-sco_sock_recvmsg.patch
queue-3.8/bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
queue-3.8/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html