LinuxLists.cc - Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.

2011-05-08 19:57:31

Subject: Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.

Hi,

Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
byte each. This byte in "cinfo" is copied to userspace uninitialized.

patch no.1:
-- cut --
--- a/net/bluetooth/l2cap_sock.c 2011-05-04 03:59:13.000000000 +0100
+++ b/net/bluetooth/l2cap_sock.c 2011-05-08 18:57:20.000000000 +0100
@@ -446,6 +446,7 @@ static int l2cap_sock_getsockopt_old(str
break;
}

+ memset(&cinfo, 0, sizeof(cinfo));
cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);

-- cut --

patch no.2:
-- cut --
--- a/net/bluetooth/rfcomm/sock.c 2011-05-04 03:59:13.000000000 +0100
+++ b/net/bluetooth/rfcomm/sock.c 2011-05-08 19:00:24.000000000 +0100
@@ -787,6 +787,7 @@ static int rfcomm_sock_getsockopt_old(st

l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;

+ memset(&cinfo, 0, sizeof(cinfo));
cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
memcpy(cinfo.dev_class,
l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
-- cut --

Found by Marek Kroemeke and Filip Palian. Special thanks to Vasiliy
Kulikov for verifying this bug.

Best regards.

2011-05-09 14:31:39

by Vasily Kulikov

[permalink] [raw]

Subject: Re: [oss-security] Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.

On Sun, May 08, 2011 at 21:57 +0200, Filip Palian wrote:
> Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
> byte each. This byte in "cinfo" is copied to userspace uninitialized.

Your mail client mangles the patch, it should contain original
identation tabs, not spaces. Please see Documentation/email-clients.txt.

> patch no.1:

Don't send 2 patches as one email. Either send 2 email or merge them
into one patch (if they are similar changes). You'll ease maintainers'
work.

> Found by Marek Kroemeke and Filip Palian.

Please see Documentation/SubmittingPatches, chapter 12 to find out how
to sign the patch.

And please don't crosspost to oss-security and LKML - send a separate
email to o-s with a short description of a bug and a link to the LKML
thread. LKML thread is a place to argue and discuss the solution, but
o-s subscribers are probably not interested in such a discussion.

Thanks,

--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Attachments:

(No filename) (1.00 kB)
signature.asc (836.00 B)
Digital signature Download all attachments