[PATCH V2] net/nfc/nci: fix infoleak in struct nci_set_config_param

From: cgel . zte
Date: Tue Mar 01 2022 - 22:33:20 EST

Next message: Harold Huang: "Re: [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg"
Previous message: Joao Moreira: "Re: [RFC][PATCH 6/6] objtool: Add IBT validation / fixups"
Next in thread: weiyongjun (A): "Re: [PATCH V2] net/nfc/nci: fix infoleak in struct nci_set_config_param"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: "Minghao Chi (CGEL ZTE)" <chi.minghao@xxxxxxxxxx>

On 64-bit systems, struct nci_set_config_param has
an added padding of 7 bytes between struct members
id and len. Even though all struct members are initialized,
the 7-byte hole will contain data from the kernel stack.
This patch zeroes out struct nci_set_config_param before
usage, preventing infoleaks to userspace.

v1->v2:
-Modify the title.
-Add explanatory information.

Reported-by: Zeal Robot <zealci@xxxxxxxxxx>
Signed-off-by: Minghao Chi (CGEL ZTE) <chi.minghao@xxxxxxxxxx>
---
net/nfc/nci/core.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index d2537383a3e8..32be42be1152 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -641,6 +641,7 @@ int nci_set_config(struct nci_dev *ndev, __u8 id, size_t len, const __u8 *val)
if (!val || !len)
return 0;

+ memset(&param, 0x0, sizeof(param));
param.id = id;
param.len = len;
param.val = val;
--
2.25.1

Next message: Harold Huang: "Re: [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg"
Previous message: Joao Moreira: "Re: [RFC][PATCH 6/6] objtool: Add IBT validation / fixups"
Next in thread: weiyongjun (A): "Re: [PATCH V2] net/nfc/nci: fix infoleak in struct nci_set_config_param"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]