[kernel] r12950 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Feb 25 06:51:12 UTC 2009
Author: dannf
Date: Wed Feb 25 06:51:10 2009
New Revision: 12950
Log:
* Fix sensitive memory leak in SO_BSDCOMPAT gsopt
- bugfix/all/net-SO_BSDCOMPAT-leak.patch
- bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
See CVE-2009-0676
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
dists/etch-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/24etch1
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Wed Feb 25 06:51:10 2009
@@ -27,8 +27,12 @@
* [mips] Fix potential DOS by untrusted user app
- bugfix/mips/fix-potential-dos.patch
See CVE-2008-5701
+ * Fix sensitive memory leak in SO_BSDCOMPAT gsopt
+ - bugfix/all/net-SO_BSDCOMPAT-leak.patch
+ - bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
+ See CVE-2009-0676
- -- dann frazier <dannf at debian.org> Sun, 22 Feb 2009 23:59:19 -0700
+ -- dann frazier <dannf at debian.org> Tue, 24 Feb 2009 23:49:22 -0700
linux-2.6 (2.6.18.dfsg.1-24) stable; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch Wed Feb 25 06:51:10 2009
@@ -0,0 +1,32 @@
+From: Eugene Teo <eugeneteo at kernel.sg>
+Date: Mon, 23 Feb 2009 23:38:41 +0000 (-0800)
+Subject: net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=50fee1dec5d71b8a14c1b82f2f42e16adc227f8b
+
+net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+
+The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note
+that the same problem of leaking kernel memory will reappear if someone
+on some architecture uses struct timeval with some internal padding (for
+example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to
+leak the padded bytes to userspace.
+
+Signed-off-by: Eugene Teo <eugeneteo at kernel.sg>
+Reported-by: Mikulas Patocka <mpatocka at redhat.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/net/core/sock.c linux-source-2.6.18/net/core/sock.c
+--- linux-source-2.6.18.orig/net/core/sock.c 2009-02-24 23:34:38.000000000 -0700
++++ linux-source-2.6.18/net/core/sock.c 2009-02-24 23:36:44.000000000 -0700
+@@ -656,7 +656,7 @@ int sock_getsockopt(struct socket *sock,
+ if(len < 0)
+ return -EINVAL;
+
+- v.val = 0;
++ memset(&v, 0, sizeof(v));
+
+ switch(optname)
+ {
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch Wed Feb 25 06:51:10 2009
@@ -0,0 +1,43 @@
+commit df0bca049d01c0ee94afb7cd5dfd959541e6c8da
+Author: Clément Lecigne <clement.lecigne at netasq.com>
+Date: Thu Feb 12 16:59:09 2009 -0800
+
+ net: 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try #2
+
+ In function sock_getsockopt() located in net/core/sock.c, optval v.val
+ is not correctly initialized and directly returned in userland in case
+ we have SO_BSDCOMPAT option set.
+
+ This dummy code should trigger the bug:
+
+ int main(void)
+ {
+ unsigned char buf[4] = { 0, 0, 0, 0 };
+ int len;
+ int sock;
+ sock = socket(33, 2, 2);
+ getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
+ printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
+ close(sock);
+ }
+
+ Here is a patch that fix this bug by initalizing v.val just after its
+ declaration.
+
+ Signed-off-by: Clément Lecigne <clement.lecigne at netasq.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/net/core/sock.c linux-source-2.6.18/net/core/sock.c
+--- linux-source-2.6.18.orig/net/core/sock.c 2008-12-25 14:04:13.000000000 -0700
++++ linux-source-2.6.18/net/core/sock.c 2009-02-24 23:34:38.000000000 -0700
+@@ -656,6 +656,8 @@ int sock_getsockopt(struct socket *sock,
+ if(len < 0)
+ return -EINVAL;
+
++ v.val = 0;
++
+ switch(optname)
+ {
+ case SO_DEBUG:
Modified: dists/etch-security/linux-2.6/debian/patches/series/24etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/24etch1 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/24etch1 Wed Feb 25 06:51:10 2009
@@ -59,3 +59,5 @@
+ bugfix/hppa/userspace-unwind-crash.patch
+ bugfix/all/net-add-preempt-point-in-qdisc_run.patch
+ bugfix/mips/fix-potential-dos.patch
++ bugfix/all/net-SO_BSDCOMPAT-leak.patch
++ bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
More information about the Kernel-svn-changes
mailing list