| リビジョン | 7d83d871b1fa17d8c23c8a03ae19ee772f3fe8dd (tree) |
|---|---|
| 日時 | 2007-04-18 18:08:36 |
| 作者 | Willy Tarreau <w@1wt....> |
| コミッター | Willy Tarreau |
[Bluetooth] Fix L2CAP and HCI setsockopt() information leaks (CVE-2007-1353)
Problem reported by Ilja van Sprundel. Assigned CVE-2007-1353.
Fix below from Marcel Holtmann, backported to 2.4.
The L2CAP and HCI setsockopt() implementations have a small information
leak that makes it possible to leak kernel stack memory to userspace.
If the optlen parameter is 0, no data will be copied by copy_from_user(),
but the uninitialized stack buffer will be read and stored later. A call
to getsockopt() can now retrieve the leaked information.
To fix this problem the stack buffer given to copy_from_user() must be
initialized with the current settings.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
net/bluetooth/hci_sock.c (diff) net/bluetooth/l2cap.c (diff)| @@ -469,6 +469,8 @@ int hci_sock_setsockopt(struct socket *sock, int level, int optname, char *optva | ||
| 469 | 469 | break; |
| 470 | 470 | |
| 471 | 471 | case HCI_FILTER: |
| 472 | + memcpy(&flt, &hci_pi(sk)->filter, len); | |
| 473 | + | |
| 472 | 474 | len = MIN(len, sizeof(struct hci_filter)); |
| 473 | 475 | if (copy_from_user(&flt, optval, len)) { |
| 474 | 476 | err = -EFAULT; |
| @@ -685,6 +685,10 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch | ||
| 685 | 685 | |
| 686 | 686 | switch (optname) { |
| 687 | 687 | case L2CAP_OPTIONS: |
| 688 | + opts.imtu = l2cap_pi(sk)->imtu; | |
| 689 | + opts.omtu = l2cap_pi(sk)->omtu; | |
| 690 | + opts.flush_to = l2cap_pi(sk)->flush_to; | |
| 691 | + | |
| 688 | 692 | len = MIN(sizeof(opts), optlen); |
| 689 | 693 | if (copy_from_user((char *)&opts, optval, len)) { |
| 690 | 694 | err = -EFAULT; |
Linux Kernel Documents
Fork