CVE-2014-9900-net-Zeroing-the-structure-ethtool_wolinfo-in-ethtool.patch

   1 From 38e360ea72f11241adede7ea2b22d8d536fe490b Mon Sep 17 00:00:00 2001
   2 From: Avijit Kanti Das <avijitnsec@codeaurora.org>
   3 Date: Thu, 8 Jun 2017 15:41:00 +0200
   4 Subject: [PATCH 5/5] net: Zeroing the structure ethtool_wolinfo in
   5  ethtool_get_wol()
   6
   7 CVE-2014-9900
   8
   9 memset() the structure ethtool_wolinfo that has padded bytes
  10 but the padded bytes have not been zeroed out.
  11
  12 Change-Id: If3fd2d872a1b1ab9521d937b86a29fc468a8bbfe
  13 Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org>
  14 (cherry-picked from commit 63c317dbee97983004dffdd9f742a20d17150071
  15  https://source.codeaurora.org/quic/la/kernel/msm-3.10)
  16 Signed-off-by: Brad Figg <brad.figg@canonical.com>
  17 Acked-by: Seth Forshee <seth.forshee@canonical.com>
  18 Acked-by: Colin King <colin.king@canonical.com>
  19 Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
  20
  21 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  22 ---
  23  net/core/ethtool.c | 4 +++-
  24  1 file changed, 3 insertions(+), 1 deletion(-)
  25
  26 diff --git a/net/core/ethtool.c b/net/core/ethtool.c
  27 index d92de0a1f0a4..c06c6acf78c5 100644
  28 --- a/net/core/ethtool.c
  29 +++ b/net/core/ethtool.c
  30 @@ -1449,11 +1449,13 @@ static int ethtool_reset(struct net_device *dev, char __user *useraddr)
  31
  32  static int ethtool_get_wol(struct net_device *dev, char __user *useraddr)
  33  {
  34 -       struct ethtool_wolinfo wol = { .cmd = ETHTOOL_GWOL };
  35 +       struct ethtool_wolinfo wol;
  36
  37         if (!dev->ethtool_ops->get_wol)
  38                 return -EOPNOTSUPP;
  39
  40 +       memset(&wol, 0, sizeof(struct ethtool_wolinfo));
  41 +       wol.cmd = ETHTOOL_GWOL;
  42         dev->ethtool_ops->get_wol(dev, &wol);
  43
  44         if (copy_to_user(useraddr, &wol, sizeof(wol)))
  45 --
  46 2.11.0
  47