From: Eugene Teo <eugene@redhat.com> Date: Tue, 24 Feb 2009 13:02:24 +0800 Subject: [net] memory disclosure in SO_BSDCOMPAT gsopt Message-id: 49A37F60.5080003@redhat.com O-Subject: [RHEL5.4 patch] BZ#486518 kernel: memory disclosure in SO_BSDCOMPAT gsopt [v2] Bugzilla: 486518 RH-Acked-by: David Miller <davem@redhat.com> RH-Acked-by: Pete Zaitcev <zaitcev@redhat.com> RH-Acked-by: Neil Horman <nhorman@redhat.com> RH-Acked-by: Mikulas Patocka <mpatocka@redhat.com> RH-Acked-by: Jiri Pirko <jpirko@redhat.com> RH-Acked-by: Neil Horman <nhorman@redhat.com> CVE: CVE-2009-0676 This is for bz#486518 (CVE-2009-0676). In function sock_getsockopt() located in net/core/sock.c, optval v.val is not correctly initialized and directly returned in userland in case we have SO_BSDCOMPAT option set. It includes the suggestion from Mikulas to use memset(). http://marc.info/?l=linux-kernel&m=123540732700371&w=2 http://marc.info/?l=linux-netdev&m=123543237010175&w=2 -- Eugene Teo / Red Hat Security Response Team diff --git a/net/core/sock.c b/net/core/sock.c index 51d4ef4..078a24b 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -673,6 +673,8 @@ int sock_getsockopt(struct socket *sock, int level, int optname, return -EFAULT; if(len < 0) return -EINVAL; + + memset(&v, 0, sizeof(v)); switch(optname) {