[linux] 01/01: tipc: fix an infoleak in tipc_nl_compat_link_dump (CVE-2016-5243)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Jun 11 05:21:40 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit 01be9139c051d1c563540806d28b5bd71f5cd9e8
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Sat Jun 11 07:18:28 2016 +0200

    tipc: fix an infoleak in tipc_nl_compat_link_dump (CVE-2016-5243)
---
 ...x-an-infoleak-in-tipc_nl_compat_link_dump.patch | 32 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 33 insertions(+)

diff --git a/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch b/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
new file mode 100644
index 0000000..03f290a
--- /dev/null
+++ b/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
@@ -0,0 +1,32 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Thu, 2 Jun 2016 04:04:56 -0400
+Subject: tipc: fix an infoleak in tipc_nl_compat_link_dump
+Origin: https://git.kernel.org/linus/5d2be1422e02ccd697ccfcd45c85b4a26e6178e2
+
+link_info.str is a char array of size 60. Memory after the NULL
+byte is not initialized. Sending the whole object out can cause
+a leak.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/tipc/netlink_compat.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index f795b1d..3ad9fab 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -604,7 +604,8 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
+ 
+ 	link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
+ 	link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
+-	strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]));
++	nla_strlcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]),
++		    TIPC_MAX_LINK_NAME);
+ 
+ 	return tipc_add_tlv(msg->rep, TIPC_TLV_LINK_INFO,
+ 			    &link_info, sizeof(link_info));
+-- 
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 41252ef..1977441 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -110,6 +110,7 @@ bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
 bugfix/all/proc-prevent-stacking-filesystems-on-top.patch
 bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch
 bugfix/all/sched-panic-on-corrupted-stack-end.patch
+bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
 
 # Tools bug fixes
 bugfix/all/usbip-document-tcp-wrappers.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list