[kernel] r12949 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed Feb 25 06:39:32 UTC 2009 

Author: dannf
Date: Wed Feb 25 06:39:29 2009
New Revision: 12949

Log:
Fix sensitive memory leak in SO_BSDCOMPAT gsopt (CVE-2009-0676)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch   (contents, props changed)
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch   (contents, props changed)
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	(original)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Wed Feb 25 06:39:29 2009
@@ -14,8 +14,9 @@
   * dell_rbu: use scnprintf instead of less secure sprintf (CVE-2009-0322)
   * [hppa] Fix system crash while unwinding a userspace process
     (CVE-2008-5395)
+  * Fix sensitive memory leak in SO_BSDCOMPAT gsopt (CVE-2009-0676)
 
- -- dann frazier <dannf at debian.org>  Thu, 19 Feb 2009 00:26:46 -0700
+ -- dann frazier <dannf at debian.org>  Tue, 24 Feb 2009 23:25:36 -0700
 
 linux-2.6.24 (2.6.24-6~etchnhalf.8) stable; urgency=high
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch	Wed Feb 25 06:39:29 2009
@@ -0,0 +1,32 @@
+From: Eugene Teo <eugeneteo at kernel.sg>
+Date: Mon, 23 Feb 2009 23:38:41 +0000 (-0800)
+Subject: net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=50fee1dec5d71b8a14c1b82f2f42e16adc227f8b
+
+net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+
+The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note
+that the same problem of leaking kernel memory will reappear if someone
+on some architecture uses struct timeval with some internal padding (for
+example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to
+leak the padded bytes to userspace.
+
+Signed-off-by: Eugene Teo <eugeneteo at kernel.sg>
+Reported-by: Mikulas Patocka <mpatocka at redhat.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/net/core/sock.c linux-source-2.6.24/net/core/sock.c
+--- linux-source-2.6.24.orig/net/core/sock.c	2009-02-24 23:20:47.000000000 -0700
++++ linux-source-2.6.24/net/core/sock.c	2009-02-24 23:22:41.000000000 -0700
+@@ -691,7 +691,7 @@ int sock_getsockopt(struct socket *sock,
+ 	if (len < 0)
+ 		return -EINVAL;
+ 
+-	v.val = 0;
++	memset(&v, 0, sizeof(v));
+ 
+ 	switch(optname) {
+ 	case SO_DEBUG:

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch	Wed Feb 25 06:39:29 2009
@@ -0,0 +1,43 @@
+commit df0bca049d01c0ee94afb7cd5dfd959541e6c8da
+Author: Clément Lecigne <clement.lecigne at netasq.com>
+Date:   Thu Feb 12 16:59:09 2009 -0800
+
+    net: 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try #2
+    
+    In function sock_getsockopt() located in net/core/sock.c, optval v.val
+    is not correctly initialized and directly returned in userland in case
+    we have SO_BSDCOMPAT option set.
+    
+    This dummy code should trigger the bug:
+    
+    int main(void)
+    {
+    	unsigned char buf[4] = { 0, 0, 0, 0 };
+    	int len;
+    	int sock;
+    	sock = socket(33, 2, 2);
+    	getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
+    	printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
+    	close(sock);
+    }
+    
+    Here is a patch that fix this bug by initalizing v.val just after its
+    declaration.
+    
+    Signed-off-by: Clément Lecigne <clement.lecigne at netasq.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/net/core/sock.c linux-source-2.6.24/net/core/sock.c
+--- linux-source-2.6.24.orig/net/core/sock.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/core/sock.c	2009-02-24 23:20:47.000000000 -0700
+@@ -691,6 +691,8 @@ int sock_getsockopt(struct socket *sock,
+ 	if (len < 0)
+ 		return -EINVAL;
+ 
++	v.val = 0;
++
+ 	switch(optname) {
+ 	case SO_DEBUG:
+ 		v.val = sock_flag(sk, SOCK_DBG);

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1	(original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1	Wed Feb 25 06:39:29 2009
@@ -61,3 +61,5 @@
 + bugfix/all/ecryptfs-check-readlink-result-before-use.patch
 + bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch
 + bugfix/hppa/userspace-unwind-crash.patch
++ bugfix/all/net-SO_BSDCOMPAT-leak.patch
++ bugfix/all/net-SO_BSDCOMPAT-leak-2.patch

More information about the Kernel-svn-changes mailing list