diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2021-06-20 14:18:46 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2021-06-20 14:19:40 +0200 |
commit | 06ddeb363e8edbc1144c11552a599004780f7322 (patch) | |
tree | 43ce015973fd7e1d2962fe6cfe9a94be2924cad2 | |
parent | 4878dea1ffd939c8d62bc9cc549b159260572eb8 (diff) | |
download | kernel_replicant_linux-06ddeb363e8edbc1144c11552a599004780f7322.tar.gz kernel_replicant_linux-06ddeb363e8edbc1144c11552a599004780f7322.tar.bz2 kernel_replicant_linux-06ddeb363e8edbc1144c11552a599004780f7322.zip |
can: bcm: fix infoleak in struct bcm_msg_head (CVE-2021-34693)
-rw-r--r-- | debian/changelog | 1 | ||||
-rw-r--r-- | debian/patches/bugfix/all/can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch | 52 |
2 files changed, 53 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 439e95b0a264..e1d64675ec86 100644 --- a/debian/changelog +++ b/debian/changelog @@ -495,6 +495,7 @@ linux (5.10.45-1) UNRELEASED; urgency=medium * Ignore some ABI changes that should not affect OOT modules * Bump ABI to 8 * [rt] Refresh "tracing: Merge irqflags + preempt counter" + * can: bcm: fix infoleak in struct bcm_msg_head (CVE-2021-34693) [ Vagrant Cascadian ] * [arm64] Add pwm-rockchip to fb-modules udeb. diff --git a/debian/patches/bugfix/all/can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch b/debian/patches/bugfix/all/can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch new file mode 100644 index 000000000000..592668c44e6c --- /dev/null +++ b/debian/patches/bugfix/all/can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch @@ -0,0 +1,52 @@ +From: Norbert Slusarek <nslusarek@gmx.net> +Date: Sat, 12 Jun 2021 22:18:54 +0200 +Subject: can: bcm: fix infoleak in struct bcm_msg_head +Origin: https://git.kernel.org/linus/5e87ddbe3942e27e939bdc02deb8579b0cbd8ecc +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-34693 + +On 64-bit systems, struct bcm_msg_head has an added padding of 4 bytes between +struct members count and ival1. Even though all struct members are initialized, +the 4-byte hole will contain data from the kernel stack. This patch zeroes out +struct bcm_msg_head before usage, preventing infoleaks to userspace. + +Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") +Link: https://lore.kernel.org/r/trinity-7c1b2e82-e34f-4885-8060-2cd7a13769ce-1623532166177@3c-app-gmx-bs52 +Cc: linux-stable <stable@vger.kernel.org> +Signed-off-by: Norbert Slusarek <nslusarek@gmx.net> +Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +--- + net/can/bcm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/can/bcm.c b/net/can/bcm.c +index f00176b2a6c3..f3e4d9528fa3 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -406,6 +406,7 @@ static enum hrtimer_restart bcm_tx_timeout_handler(struct hrtimer *hrtimer) + if (!op->count && (op->flags & TX_COUNTEVT)) { + + /* create notification to user */ ++ memset(&msg_head, 0, sizeof(msg_head)); + msg_head.opcode = TX_EXPIRED; + msg_head.flags = op->flags; + msg_head.count = op->count; +@@ -443,6 +444,7 @@ static void bcm_rx_changed(struct bcm_op *op, struct canfd_frame *data) + /* this element is not throttled anymore */ + data->flags &= (BCM_CAN_FLAGS_MASK|RX_RECV); + ++ memset(&head, 0, sizeof(head)); + head.opcode = RX_CHANGED; + head.flags = op->flags; + head.count = op->count; +@@ -564,6 +566,7 @@ static enum hrtimer_restart bcm_rx_timeout_handler(struct hrtimer *hrtimer) + } + + /* create notification to user */ ++ memset(&msg_head, 0, sizeof(msg_head)); + msg_head.opcode = RX_TIMEOUT; + msg_head.flags = op->flags; + msg_head.count = op->count; +-- +2.32.0 + |