Thread (8 messages) 8 messages, 2 authors, 2016-09-09
STALE3588d REVIEWED: 1 (0M)

[PATCH 4.4 3/4] rds: fix an infoleak in rds_inc_info_copy

From: Juerg Haefliger <hidden>
Date: 2016-08-29 13:39:09
Subsystem: networking [general], rds - reliable datagram sockets, the rest · Maintainers: "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Allison Henderson, Linus Torvalds

From: Kangjie Lu <redacted>

commit 4116def2337991b39919f3b448326e21c40e0dbb upstream.

This fixes CVE-2016-5244.

The last field "flags" of object "minfo" is not initialized.
Copying this object out may leak kernel stack data.
Assign 0 to it to avoid leak.

Signed-off-by: Kangjie Lu <redacted>
Acked-by: Santosh Shilimkar <redacted>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Juerg Haefliger <redacted>
---
 net/rds/recv.c | 2 ++
 1 file changed, 2 insertions(+)
diff --git a/net/rds/recv.c b/net/rds/recv.c
index a00462b0d01d..0514af3ab378 100644
--- a/net/rds/recv.c
+++ b/net/rds/recv.c
@@ -545,5 +545,7 @@ void rds_inc_info_copy(struct rds_incoming *inc,
 		minfo.fport = inc->i_hdr.h_dport;
 	}
 
+	minfo.flags = 0;
+
 	rds_info_copy(iter, &minfo, sizeof(minfo));
 }
-- 
2.9.3
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help