From: Stefano Brivio <sbri...@redhat.com>
Date: Wed, 23 Aug 2017 13:27:13 +0200
> inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() copy
> sizeof(sockaddr_storage) bytes to fill in sockaddr structs used
> to export diagnostic information to userspace.
>
> However, the memory allocated to store sockaddr information is
> smaller than that and depends on the address family, so we leak
> up to 100 uninitialized bytes to userspace. Just use the size of
> the source structs instead, in all the three cases this is what
> userspace expects. Zero out the remaining memory.
>
> Unused bytes (i.e. when IPv4 addresses are used) in source
> structs sctp_sockaddr_entry and sctp_transport are already
> cleared by sctp_add_bind_addr() and sctp_transport_new(),
> respectively.
>
> Noticed while testing KASAN-enabled kernel with 'ss':
...
> This fixes CVE-2017-7558.
>
> References: https://bugzilla.redhat.com/show_bug.cgi?id=1480266
> Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
> Cc: <sta...@vger.kernel.org> # 4.7+
> Cc: Xin Long <lucien....@gmail.com>
> Cc: Vlad Yasevich <vyasev...@gmail.com>
> Cc: Neil Horman <nhor...@tuxdriver.com>
> Signed-off-by: Stefano Brivio <sbri...@redhat.com>
Applied and queued up for -stable.
Do not put "stable@kernel..." into networking patch submissions.
For networking, I handle the stable submissions by hand myself.
Thank you.
