econet: 4 byte infoleak to the network CVE-2011-1173
 

On Mon, Jul 04, 2011 at 05:22:44PM +0100, paolo.pisati@canonical.com wrote:
> From: Vasiliy Kulikov <segoon@openwall.com>
>
> BugLink: http://bugs.launchpad.net/bugs/801484
>
> commit upstream 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e
>
> struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
> x86_64. These bytes are not initialized in the variable 'ah' before
> sending 'ah' to the network. This leads to 4 bytes kernel stack
> infoleak.
>
> This bug was introduced before the git epoch.
>
> CVE-2011-1173
>
> Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
> Acked-by: Phil Blundell <philb@gnu.org>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
> ---
> net/econet/af_econet.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
> index 59092f4..bda42d3 100644
> --- a/net/econet/af_econet.c
> +++ b/net/econet/af_econet.c
> @@ -434,10 +434,10 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
> udpdest.sin_addr.s_addr = htonl(network | addr.station);
> }
>
> + memset(&ah, 0, sizeof(ah));
> ah.port = port;
> ah.cb = cb & 0x7f;
> ah.code = 2; /* magic */
> - ah.pad = 0;
>
> /* tack our header on the front of the iovec */
> size = sizeof(struct aunhdr);

Looks identicle to the upstream commit, appears sane.

Acked-by: Andy Whitcroft <apw@canonical.com>

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team