xfrm_user: fix info leak in copy_to_user_tmpl()
The memory used for the template copy is a local stack variable. As struct xfrm_user_tmpl contains multiple holes added by the compiler for alignment, not initializing the memory will lead to leaking stack bytes to userland. Add an explicit memset(0) to avoid the info leak. Initial version of the patch by Brad Spengler. Cc: Brad Spengler <spender@grsecurity.net> Signed-off-by: Mathias Krause <minipli@googlemail.com> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Родитель
7b789836f4
Коммит
1f86840f89
|
@ -1425,6 +1425,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
|
||||||
struct xfrm_user_tmpl *up = &vec[i];
|
struct xfrm_user_tmpl *up = &vec[i];
|
||||||
struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
|
struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
|
||||||
|
|
||||||
|
memset(up, 0, sizeof(*up));
|
||||||
memcpy(&up->id, &kp->id, sizeof(up->id));
|
memcpy(&up->id, &kp->id, sizeof(up->id));
|
||||||
up->family = kp->encap_family;
|
up->family = kp->encap_family;
|
||||||
memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
|
memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
|
||||||
|
|
Загрузка…
Ссылка в новой задаче