releases/3.5.1/net-tun-fix-ioctl-based-info-leaks.patch

   1 From 8792d0c90a7952d7677cf197bbd504028352361e Mon Sep 17 00:00:00 2001
   2 From: Mathias Krause <minipli@googlemail.com>
   3 Date: Sun, 29 Jul 2012 19:45:14 +0000
   4 Subject: net/tun: fix ioctl() based info leaks
   5
   6
   7 From: Mathias Krause <minipli@googlemail.com>
   8
   9 [ Upstream commits a117dacde0288f3ec60b6e5bcedae8fa37ee0dfc
  10   and 8bbb181308bc348e02bfdbebdedd4e4ec9d452ce ]
  11
  12 The tun module leaks up to 36 bytes of memory by not fully initializing
  13 a structure located on the stack that gets copied to user memory by the
  14 TUNGETIFF and SIOCGIFHWADDR ioctl()s.
  15
  16 Signed-off-by: Mathias Krause <minipli@googlemail.com>
  17 Signed-off-by: David S. Miller <davem@davemloft.net>
  18 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  19 ---
  20  drivers/net/tun.c |    6 ++++--
  21  1 file changed, 4 insertions(+), 2 deletions(-)
  22
  23 --- a/drivers/net/tun.c
  24 +++ b/drivers/net/tun.c
  25 @@ -1255,10 +1255,12 @@ static long __tun_chr_ioctl(struct file
  26         int vnet_hdr_sz;
  27         int ret;
  28
  29 -       if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89)
  30 +       if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) {
  31                 if (copy_from_user(&ifr, argp, ifreq_len))
  32                         return -EFAULT;
  33 -
  34 +       } else {
  35 +               memset(&ifr, 0, sizeof(ifr));
  36 +       }
  37         if (cmd == TUNGETFEATURES) {
  38                 /* Currently this just means: "what IFF flags are valid?".
  39                  * This is needed because we never checked for invalid flags on