The current code does not set the msg_namelen member to 0 and therefore
makes net/socket.c leak the local sockaddr_storage variable to userland
-- 128 bytes of kernel stack memory. Fix that.
Signed-off-by: Mathias Krause <[email protected]>
---
crypto/algif_hash.c | 2 ++
crypto/algif_skcipher.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
index ef5356c..0262210 100644
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -161,6 +161,8 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock,
else if (len < ds)
msg->msg_flags |= MSG_TRUNC;
+ msg->msg_namelen = 0;
+
lock_sock(sk);
if (ctx->more) {
ctx->more = 0;
diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index 6a6dfc0..a1c4f0a 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -432,6 +432,7 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock,
long copied = 0;
lock_sock(sk);
+ msg->msg_namelen = 0;
for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
iovlen--, iov++) {
unsigned long seglen = iov->iov_len;
--
1.7.10.4
On Sun, Apr 07, 2013 at 02:05:39PM +0200, Mathias Krause wrote:
> The current code does not set the msg_namelen member to 0 and therefore
> makes net/socket.c leak the local sockaddr_storage variable to userland
> -- 128 bytes of kernel stack memory. Fix that.
>
> Signed-off-by: Mathias Krause <[email protected]>
Patch applied. Thanks!
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Wed, Apr 10, 2013 at 5:31 AM, Herbert Xu <[email protected]> wrote:
> On Sun, Apr 07, 2013 at 02:05:39PM +0200, Mathias Krause wrote:
>> The current code does not set the msg_namelen member to 0 and therefore
>> makes net/socket.c leak the local sockaddr_storage variable to userland
>> -- 128 bytes of kernel stack memory. Fix that.
>>
>> Signed-off-by: Mathias Krause <[email protected]>
>
> Patch applied. Thanks!
Thanks, but that patch shouldn't have been applied to cryptodev but
crypto instead, and probably queued up for stable as well.
I missed the 'Cc: stable # v2.6.38'. My bad.
Mathias
On Wed, Apr 10, 2013 at 08:21:51AM +0200, Mathias Krause wrote:
> On Wed, Apr 10, 2013 at 5:31 AM, Herbert Xu <[email protected]> wrote:
> > On Sun, Apr 07, 2013 at 02:05:39PM +0200, Mathias Krause wrote:
> >> The current code does not set the msg_namelen member to 0 and therefore
> >> makes net/socket.c leak the local sockaddr_storage variable to userland
> >> -- 128 bytes of kernel stack memory. Fix that.
> >>
> >> Signed-off-by: Mathias Krause <[email protected]>
> >
> > Patch applied. Thanks!
>
> Thanks, but that patch shouldn't have been applied to cryptodev but
> crypto instead, and probably queued up for stable as well.
> I missed the 'Cc: stable # v2.6.38'. My bad.
OK, I'll move it across and add the stable Cc.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Wed, Apr 10, 2013 at 8:26 AM, Herbert Xu <[email protected]> wrote:
> On Wed, Apr 10, 2013 at 08:21:51AM +0200, Mathias Krause wrote:
>> On Wed, Apr 10, 2013 at 5:31 AM, Herbert Xu <[email protected]> wrote:
>> > On Sun, Apr 07, 2013 at 02:05:39PM +0200, Mathias Krause wrote:
>> >> The current code does not set the msg_namelen member to 0 and therefore
>> >> makes net/socket.c leak the local sockaddr_storage variable to userland
>> >> -- 128 bytes of kernel stack memory. Fix that.
>> >>
>> >> Signed-off-by: Mathias Krause <[email protected]>
>> >
>> > Patch applied. Thanks!
>>
>> Thanks, but that patch shouldn't have been applied to cryptodev but
>> crypto instead, and probably queued up for stable as well.
>> I missed the 'Cc: stable # v2.6.38'. My bad.
>
> OK, I'll move it across and add the stable Cc.
Any specific reason you're not pushing it to Linus for inclusion in v3.9?
Mathias