linux kernel:2.6.37 rc1 net: tipc fix information leak to userland

2011.01.06

Credit: Vasiliy Kulikov

Risk: Low

Local: Yes

Remote: No

CVE: CVE-2010-3877

CWE: CWE-200

CVSS Base Score: 1.9/10

Impact Subscore: 2.9/10

Exploitability Subscore: 3.4/10

Exploit range: Local

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Partial

Integrity impact: None

Availability impact: None

Structure sockaddr_tipc is copied to userland with padding bytes after
"id" field in union field "name" unitialized. It leads to leaking of
contents of kernel stack memory. We have to initialize them to zero.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
---
net/tipc/socket.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 33217fc..e9f0d50 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -396,6 +396,7 @@ static int get_name(struct socket *sock, struct sockaddr *uaddr,
struct sockaddr_tipc *addr = (struct sockaddr_tipc *)uaddr;
struct tipc_sock *tsock = tipc_sk(sock->sk);
+ memset(addr, 0, sizeof(*addr));
if (peer) {
if ((sock->state != SS_CONNECTED) &&
((peer != 2) || (sock->state != SS_DISCONNECTING)))
--
1.7.0.4
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

References:

https://bugzilla.redhat.com/show_bug.cgi?id=649717

http://openwall.com/lists/oss-security/2010/11/04/5

http://openwall.com/lists/oss-security/2010/11/02/7

http://marc.info/?l=linux-netdev&m=128854507420917&w=2

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=88f8a5e3e7defccd3925cabb1ee4d3994e5cdb52

http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.37-rc2

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}