[kernel] r12950 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed Feb 25 06:51:12 UTC 2009 

Author: dannf
Date: Wed Feb 25 06:51:10 2009
New Revision: 12950

Log:
* Fix sensitive memory leak in SO_BSDCOMPAT gsopt
   - bugfix/all/net-SO_BSDCOMPAT-leak.patch
   - bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
  See CVE-2009-0676

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
   dists/etch-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/24etch1

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Wed Feb 25 06:51:10 2009
@@ -27,8 +27,12 @@
   * [mips] Fix potential DOS by untrusted user app
      - bugfix/mips/fix-potential-dos.patch
     See CVE-2008-5701
+  * Fix sensitive memory leak in SO_BSDCOMPAT gsopt
+     - bugfix/all/net-SO_BSDCOMPAT-leak.patch
+     - bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
+    See CVE-2009-0676
 
- -- dann frazier <dannf at debian.org>  Sun, 22 Feb 2009 23:59:19 -0700
+ -- dann frazier <dannf at debian.org>  Tue, 24 Feb 2009 23:49:22 -0700
 
 linux-2.6 (2.6.18.dfsg.1-24) stable; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch	Wed Feb 25 06:51:10 2009
@@ -0,0 +1,32 @@
+From: Eugene Teo <eugeneteo at kernel.sg>
+Date: Mon, 23 Feb 2009 23:38:41 +0000 (-0800)
+Subject: net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=50fee1dec5d71b8a14c1b82f2f42e16adc227f8b
+
+net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+
+The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note
+that the same problem of leaking kernel memory will reappear if someone
+on some architecture uses struct timeval with some internal padding (for
+example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to
+leak the padded bytes to userspace.
+
+Signed-off-by: Eugene Teo <eugeneteo at kernel.sg>
+Reported-by: Mikulas Patocka <mpatocka at redhat.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/net/core/sock.c linux-source-2.6.18/net/core/sock.c
+--- linux-source-2.6.18.orig/net/core/sock.c	2009-02-24 23:34:38.000000000 -0700
++++ linux-source-2.6.18/net/core/sock.c	2009-02-24 23:36:44.000000000 -0700
+@@ -656,7 +656,7 @@ int sock_getsockopt(struct socket *sock,
+ 	if(len < 0)
+ 		return -EINVAL;
+ 		
+-	v.val = 0;
++	memset(&v, 0, sizeof(v));
+ 
+   	switch(optname) 
+   	{

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch	Wed Feb 25 06:51:10 2009
@@ -0,0 +1,43 @@
+commit df0bca049d01c0ee94afb7cd5dfd959541e6c8da
+Author: Clément Lecigne <clement.lecigne at netasq.com>
+Date:   Thu Feb 12 16:59:09 2009 -0800
+
+    net: 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try #2
+    
+    In function sock_getsockopt() located in net/core/sock.c, optval v.val
+    is not correctly initialized and directly returned in userland in case
+    we have SO_BSDCOMPAT option set.
+    
+    This dummy code should trigger the bug:
+    
+    int main(void)
+    {
+    	unsigned char buf[4] = { 0, 0, 0, 0 };
+    	int len;
+    	int sock;
+    	sock = socket(33, 2, 2);
+    	getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
+    	printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
+    	close(sock);
+    }
+    
+    Here is a patch that fix this bug by initalizing v.val just after its
+    declaration.
+    
+    Signed-off-by: Clément Lecigne <clement.lecigne at netasq.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/net/core/sock.c linux-source-2.6.18/net/core/sock.c
+--- linux-source-2.6.18.orig/net/core/sock.c	2008-12-25 14:04:13.000000000 -0700
++++ linux-source-2.6.18/net/core/sock.c	2009-02-24 23:34:38.000000000 -0700
+@@ -656,6 +656,8 @@ int sock_getsockopt(struct socket *sock,
+ 	if(len < 0)
+ 		return -EINVAL;
+ 		
++	v.val = 0;
++
+   	switch(optname) 
+   	{
+ 		case SO_DEBUG:		

Modified: dists/etch-security/linux-2.6/debian/patches/series/24etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/24etch1	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/24etch1	Wed Feb 25 06:51:10 2009
@@ -59,3 +59,5 @@
 + bugfix/hppa/userspace-unwind-crash.patch
 + bugfix/all/net-add-preempt-point-in-qdisc_run.patch
 + bugfix/mips/fix-potential-dos.patch
++ bugfix/all/net-SO_BSDCOMPAT-leak.patch
++ bugfix/all/net-SO_BSDCOMPAT-leak-2.patch

More information about the Kernel-svn-changes mailing list