]>
Commit | Line | Data |
---|---|---|
a81a45e9 GKH |
1 | From foo@baz Wed Sep 26 11:27:32 CEST 2018 |
2 | From: Willy Tarreau <w@1wt.eu> | |
3 | Date: Wed, 12 Sep 2018 07:36:35 +0200 | |
4 | Subject: net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT | |
5 | ||
6 | From: Willy Tarreau <w@1wt.eu> | |
7 | ||
8 | [ Upstream commit 9824dfae5741275473a23a7ed5756c7b6efacc9d ] | |
9 | ||
10 | Fields ->dev and ->next of struct ipddp_route may be copied to | |
11 | userspace on the SIOCFINDIPDDPRT ioctl. This is only accessible | |
12 | to CAP_NET_ADMIN though. Let's manually copy the relevant fields | |
13 | instead of using memcpy(). | |
14 | ||
15 | BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.html | |
16 | Cc: Jann Horn <jannh@google.com> | |
17 | Signed-off-by: Willy Tarreau <w@1wt.eu> | |
18 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
19 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
20 | --- | |
21 | drivers/net/appletalk/ipddp.c | 8 ++++++-- | |
22 | 1 file changed, 6 insertions(+), 2 deletions(-) | |
23 | ||
24 | --- a/drivers/net/appletalk/ipddp.c | |
25 | +++ b/drivers/net/appletalk/ipddp.c | |
26 | @@ -283,8 +283,12 @@ static int ipddp_ioctl(struct net_device | |
27 | case SIOCFINDIPDDPRT: | |
28 | spin_lock_bh(&ipddp_route_lock); | |
29 | rp = __ipddp_find_route(&rcp); | |
30 | - if (rp) | |
31 | - memcpy(&rcp2, rp, sizeof(rcp2)); | |
32 | + if (rp) { | |
33 | + memset(&rcp2, 0, sizeof(rcp2)); | |
34 | + rcp2.ip = rp->ip; | |
35 | + rcp2.at = rp->at; | |
36 | + rcp2.flags = rp->flags; | |
37 | + } | |
38 | spin_unlock_bh(&ipddp_route_lock); | |
39 | ||
40 | if (rp) { |