Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
econet: 4 byte infoleak to the network
struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
x86_64. These bytes are not initialized in the variable 'ah' before
sending 'ah' to the network. This leads to 4 bytes kernel stack
infoleak.
This bug was introduced before the git epoch.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
authored by Vasiliy Kulikov and committed by David S. Miller 67c5c6cb 4363c2fd
+1
-1
net/econet/af_econet.c
+1
-1
net/econet/af_econet.c
···
435
435
udpdest.sin_addr.s_addr = htonl(network | addr.station);
436
436
}
437
437
438
+
memset(&ah, 0, sizeof(ah));
438
439
ah.port = port;
439
440
ah.cb = cb & 0x7f;
440
441
ah.code = 2; /* magic */
441
-
ah.pad = 0;
442
442
443
443
/* tack our header on the front of the iovec */
444
444
size = sizeof(struct aunhdr);