FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 02-01-2011, 01:40 PM
Tim Gardner
 
Default net: packet: fix information leak to userland

On 02/01/2011 07:26 AM, Andy Whitcroft wrote:

The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel
before 2.6.37-rc2 does not initialize a certain structure, which allows
local users to obtain potentially sensitive information from kernel stack
memory by reading a copy of this structure.

Following this email are CVE patches for Dapper, Hardy, Karmic, Lucid,
and Maverick. These are all trivial backports from the upstream commit
below:

commit fe10ae53384e48c51996941b7720ee16995cbcb7
Author: Vasiliy Kulikov<segooon@gmail.com>
Date: Wed Nov 10 10:14:33 2010 -0800

net: ax25: fix information leak to userland

Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
field of fsa struct, also the struct has padding bytes between
sax25_call and sax25_ndigis fields. This structure is then copied to
userland. It leads to leaking of contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov<segooon@gmail.com>
Signed-off-by: David S. Miller<davem@davemloft.net>

-apw



Acked-by: Tim Gardner <tim.gardner@canonical.com>

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-01-2011, 01:43 PM
Stefan Bader
 
Default net: packet: fix information leak to userland

On 02/01/2011 03:26 PM, Andy Whitcroft wrote:
> The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel
> before 2.6.37-rc2 does not initialize a certain structure, which allows
> local users to obtain potentially sensitive information from kernel stack
> memory by reading a copy of this structure.
>
> Following this email are CVE patches for Dapper, Hardy, Karmic, Lucid,
> and Maverick. These are all trivial backports from the upstream commit
> below:
>
> commit fe10ae53384e48c51996941b7720ee16995cbcb7
> Author: Vasiliy Kulikov <segooon@gmail.com>
> Date: Wed Nov 10 10:14:33 2010 -0800
>
> net: ax25: fix information leak to userland
>
> Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
> field of fsa struct, also the struct has padding bytes between
> sax25_call and sax25_ndigis fields. This structure is then copied to
> userland. It leads to leaking of contents of kernel stack memory.
>
> Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
>
> -apw
>
So strlcpy would always add a terminating zero while strncpy might not _if_ the
string is 14chars long. Hope that won't happen then...

ACK for all of them.

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-01-2011, 03:24 PM
Tim Gardner
 
Default net: packet: fix information leak to userland

On 02/01/2011 07:26 AM, Andy Whitcroft wrote:

The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel
before 2.6.37-rc2 does not initialize a certain structure, which allows
local users to obtain potentially sensitive information from kernel stack
memory by reading a copy of this structure.

Following this email are CVE patches for Dapper, Hardy, Karmic, Lucid,
and Maverick. These are all trivial backports from the upstream commit
below:

commit fe10ae53384e48c51996941b7720ee16995cbcb7
Author: Vasiliy Kulikov<segooon@gmail.com>
Date: Wed Nov 10 10:14:33 2010 -0800

net: ax25: fix information leak to userland

Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
field of fsa struct, also the struct has padding bytes between
sax25_call and sax25_ndigis fields. This structure is then copied to
userland. It leads to leaking of contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov<segooon@gmail.com>
Signed-off-by: David S. Miller<davem@davemloft.net>

-apw



applied and pushed

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 05:30 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org