From: Stefano Brivio <sbrivio@xxxxxxxxxx> Date: Wed, 23 Aug 2017 13:27:13 +0200 > inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() copy > sizeof(sockaddr_storage) bytes to fill in sockaddr structs used > to export diagnostic information to userspace. > > However, the memory allocated to store sockaddr information is > smaller than that and depends on the address family, so we leak > up to 100 uninitialized bytes to userspace. Just use the size of > the source structs instead, in all the three cases this is what > userspace expects. Zero out the remaining memory. > > Unused bytes (i.e. when IPv4 addresses are used) in source > structs sctp_sockaddr_entry and sctp_transport are already > cleared by sctp_add_bind_addr() and sctp_transport_new(), > respectively. > > Noticed while testing KASAN-enabled kernel with 'ss': ... > This fixes CVE-2017-7558. > > References: https://bugzilla.redhat.com/show_bug.cgi?id=1480266 > Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") > Cc: <stable@xxxxxxxxxxxxxxx> # 4.7+ > Cc: Xin Long <lucien.xin@xxxxxxxxx> > Cc: Vlad Yasevich <vyasevich@xxxxxxxxx> > Cc: Neil Horman <nhorman@xxxxxxxxxxxxx> > Signed-off-by: Stefano Brivio <sbrivio@xxxxxxxxxx> Applied and queued up for -stable. Do not put "stable@kernel..." into networking patch submissions. For networking, I handle the stable submissions by hand myself. Thank you.