econet: 4 byte infoleak to the network struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on x86_64. These bytes are not initialized in the variable 'ah' before sending 'ah' to the network. This leads to 4 bytes kernel stack infoleak. This bug was introduced before the git epoch. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Acked-by: Phil Blundell <philb@gnu.org> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e [log] [tgz]
author: Vasiliy Kulikov <segoon@openwall.com> Thu Mar 17 01:40:10 2011 +0000
committer: David S. Miller <davem@davemloft.net> Fri Mar 18 15:12:15 2011 -0700
tree: 76b219ead6898d683e477e2fa2579145e792bd0a
parent: 4363c2fddb1399b728ef21ee8101c148a311ea45 [diff] [blame]
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index 0c28263..116d3fd 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c

@@ -435,10 +435,10 @@
 		udpdest.sin_addr.s_addr = htonl(network | addr.station);
 	}
 
+	memset(&ah, 0, sizeof(ah));
 	ah.port = port;
 	ah.cb = cb & 0x7f;
 	ah.code = 2;		/* magic */
-	ah.pad = 0;
 
 	/* tack our header on the front of the iovec */
 	size = sizeof(struct aunhdr);
commit	67c5c6cb8129c595f21e88254a3fc6b3b841ae8e	[log] [tgz]
author	Vasiliy Kulikov <segoon@openwall.com>	Thu Mar 17 01:40:10 2011 +0000
committer	David S. Miller <davem@davemloft.net>	Fri Mar 18 15:12:15 2011 -0700
tree	76b219ead6898d683e477e2fa2579145e792bd0a
parent	4363c2fddb1399b728ef21ee8101c148a311ea45 [diff] [blame]