Skip to content

Commit 1f86840

Browse files
miniplidavem330
authored andcommitted
xfrm_user: fix info leak in copy_to_user_tmpl()
The memory used for the template copy is a local stack variable. As struct xfrm_user_tmpl contains multiple holes added by the compiler for alignment, not initializing the memory will lead to leaking stack bytes to userland. Add an explicit memset(0) to avoid the info leak. Initial version of the patch by Brad Spengler. Cc: Brad Spengler <spender@grsecurity.net> Signed-off-by: Mathias Krause <minipli@googlemail.com> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 7b78983 commit 1f86840

File tree

1 file changed

+1
-0
lines changed

1 file changed

+1
-0
lines changed

Diff for: net/xfrm/xfrm_user.c

+1
Original file line numberDiff line numberDiff line change
@@ -1425,6 +1425,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
14251425
struct xfrm_user_tmpl *up = &vec[i];
14261426
struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
14271427

1428+
memset(up, 0, sizeof(*up));
14281429
memcpy(&up->id, &kp->id, sizeof(up->id));
14291430
up->family = kp->encap_family;
14301431
memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));

0 commit comments

Comments
 (0)