[thirdparty/kernel/stable-queue.git] / releases / 4.18.11 / net-appletalk-fix-minor-pointer-leak-to-userspace-in-siocfindipddprt.patch

From foo@baz Wed Sep 26 11:27:32 CEST 2018
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 12 Sep 2018 07:36:35 +0200
Subject: net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT

From: Willy Tarreau <w@1wt.eu>

[ Upstream commit 9824dfae5741275473a23a7ed5756c7b6efacc9d ]

Fields ->dev and ->next of struct ipddp_route may be copied to
userspace on the SIOCFINDIPDDPRT ioctl. This is only accessible
to CAP_NET_ADMIN though. Let's manually copy the relevant fields
instead of using memcpy().

BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.html
Cc: Jann Horn <jannh@google.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/appletalk/ipddp.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/net/appletalk/ipddp.c
+++ b/drivers/net/appletalk/ipddp.c
@@ -283,8 +283,12 @@ static int ipddp_ioctl(struct net_device
                 case SIOCFINDIPDDPRT:
 			spin_lock_bh(&ipddp_route_lock);
 			rp = __ipddp_find_route(&rcp);
-			if (rp)
-				memcpy(&rcp2, rp, sizeof(rcp2));
+			if (rp) {
+				memset(&rcp2, 0, sizeof(rcp2));
+				rcp2.ip    = rp->ip;
+				rcp2.at    = rp->at;
+				rcp2.flags = rp->flags;
+			}
 			spin_unlock_bh(&ipddp_route_lock);
 
 			if (rp) {
Commit	Line	Data
a81a45e9 GKH	1	From foo@baz Wed Sep 26 11:27:32 CEST 2018
	2	From: Willy Tarreau <w@1wt.eu>
	3	Date: Wed, 12 Sep 2018 07:36:35 +0200
	4	Subject: net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT
	5
	6	From: Willy Tarreau <w@1wt.eu>
	7
	8	[ Upstream commit 9824dfae5741275473a23a7ed5756c7b6efacc9d ]
	9
	10	Fields ->dev and ->next of struct ipddp_route may be copied to
	11	userspace on the SIOCFINDIPDDPRT ioctl. This is only accessible
	12	to CAP_NET_ADMIN though. Let's manually copy the relevant fields
	13	instead of using memcpy().
	14
	15	BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.html
	16	Cc: Jann Horn <jannh@google.com>
	17	Signed-off-by: Willy Tarreau <w@1wt.eu>
	18	Signed-off-by: David S. Miller <davem@davemloft.net>
	19	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	20	---
	21	drivers/net/appletalk/ipddp.c \| 8 ++++++--
	22	1 file changed, 6 insertions(+), 2 deletions(-)
	23
	24	--- a/drivers/net/appletalk/ipddp.c
	25	+++ b/drivers/net/appletalk/ipddp.c
	26	@@ -283,8 +283,12 @@ static int ipddp_ioctl(struct net_device
	27	case SIOCFINDIPDDPRT:
	28	spin_lock_bh(&ipddp_route_lock);
	29	rp = __ipddp_find_route(&rcp);
	30	- if (rp)
	31	- memcpy(&rcp2, rp, sizeof(rcp2));
	32	+ if (rp) {
	33	+ memset(&rcp2, 0, sizeof(rcp2));
	34	+ rcp2.ip = rp->ip;
	35	+ rcp2.at = rp->at;
	36	+ rcp2.flags = rp->flags;
	37	+ }
	38	spin_unlock_bh(&ipddp_route_lock);
	39
	40	if (rp) {