dev_get_mac_address() does not always initialize whole
structure. Unfortunately, other code copies such structure to
userspace, leaking information. Fix it.
Signed-off-by: Pavel Machek (CIP) <[email protected]>
Cc: [email protected]
diff --git a/net/core/dev.c b/net/core/dev.c
index 6c5967e80132..28283a9eb63a 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -8949,11 +8949,9 @@ int dev_get_mac_address(struct sockaddr *sa, struct net *net, char *dev_name)
ret = -ENODEV;
goto unlock;
}
- if (!dev->addr_len)
- memset(sa->sa_data, 0, size);
- else
- memcpy(sa->sa_data, dev->dev_addr,
- min_t(size_t, size, dev->addr_len));
+ memset(sa->sa_data, 0, size);
+ memcpy(sa->sa_data, dev->dev_addr,
+ min_t(size_t, size, dev->addr_len));
sa->sa_family = dev->type;
unlock:
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
On Sun, Mar 21, 2021 at 9:34 AM Pavel Machek <[email protected]> wrote:
>
> dev_get_mac_address() does not always initialize whole
> structure. Unfortunately, other code copies such structure to
> userspace, leaking information. Fix it.
Well, most callers already initialize it with a memset() or copy_from_user(),
for example, __tun_chr_ioctl():
if (cmd == TUNSETIFF || cmd == TUNSETQUEUE ||
(_IOC_TYPE(cmd) == SOCK_IOC_TYPE && cmd != SIOCGSKNS)) {
if (copy_from_user(&ifr, argp, ifreq_len))
return -EFAULT;
} else {
memset(&ifr, 0, sizeof(ifr));
}
Except tap_ioctl(), but we can just initialize 'sa' there instead of doing
it in dev_get_mac_address().
Thanks.