[kernel] r12951 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed Feb 25 18:00:53 UTC 2009 

Author: dannf
Date: Wed Feb 25 18:00:49 2009
New Revision: 12951

Log:
Fix sensitive memory leak in SO_BSDCOMPAT gsopt (CVE-2009-0676)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/13lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	(original)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed Feb 25 18:00:49 2009
@@ -7,8 +7,9 @@
   * security: introduce missing kfree (CVE-2009-0031)
   * eCryptfs: check readlink result for error before use (CVE-2009-0269)
   * dell_rbu: use scnprintf instead of less secure sprintf (CVE-2009-0322)
+  * Fix sensitive memory leak in SO_BSDCOMPAT gsopt (CVE-2009-0676)
 
- -- dann frazier <dannf at debian.org>  Fri, 13 Feb 2009 10:46:22 -0700
+ -- dann frazier <dannf at debian.org>  Tue, 24 Feb 2009 23:00:01 -0700
 
 linux-2.6 (2.6.26-13) unstable; urgency=high
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
==============================================================================
--- (empty file)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch	Wed Feb 25 18:00:49 2009
@@ -0,0 +1,31 @@
+From: Eugene Teo <eugeneteo at kernel.sg>
+Date: Mon, 23 Feb 2009 23:38:41 +0000 (-0800)
+Subject: net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=50fee1dec5d71b8a14c1b82f2f42e16adc227f8b
+
+net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+
+The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note
+that the same problem of leaking kernel memory will reappear if someone
+on some architecture uses struct timeval with some internal padding (for
+example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to
+leak the padded bytes to userspace.
+
+Signed-off-by: Eugene Teo <eugeneteo at kernel.sg>
+Reported-by: Mikulas Patocka <mpatocka at redhat.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 6e4f14d..5f97caa 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -696,7 +696,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+ 	if (len < 0)
+ 		return -EINVAL;
+ 
+-	v.val = 0;
++	memset(&v, 0, sizeof(v));
+ 
+ 	switch(optname) {
+ 	case SO_DEBUG:

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch
==============================================================================
--- (empty file)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch	Wed Feb 25 18:00:49 2009
@@ -0,0 +1,42 @@
+commit df0bca049d01c0ee94afb7cd5dfd959541e6c8da
+Author: Clément Lecigne <clement.lecigne at netasq.com>
+Date:   Thu Feb 12 16:59:09 2009 -0800
+
+    net: 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try #2
+    
+    In function sock_getsockopt() located in net/core/sock.c, optval v.val
+    is not correctly initialized and directly returned in userland in case
+    we have SO_BSDCOMPAT option set.
+    
+    This dummy code should trigger the bug:
+    
+    int main(void)
+    {
+    	unsigned char buf[4] = { 0, 0, 0, 0 };
+    	int len;
+    	int sock;
+    	sock = socket(33, 2, 2);
+    	getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
+    	printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
+    	close(sock);
+    }
+    
+    Here is a patch that fix this bug by initalizing v.val just after its
+    declaration.
+    
+    Signed-off-by: Clément Lecigne <clement.lecigne at netasq.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index f3a0d08..6f2e133 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -696,6 +696,8 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+ 	if (len < 0)
+ 		return -EINVAL;
+ 
++	v.val = 0;
++
+ 	switch(optname) {
+ 	case SO_DEBUG:
+ 		v.val = sock_flag(sk, SOCK_DBG);

Modified: dists/lenny-security/linux-2.6/debian/patches/series/13lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/13lenny1	(original)
+++ dists/lenny-security/linux-2.6/debian/patches/series/13lenny1	Wed Feb 25 18:00:49 2009
@@ -48,3 +48,5 @@
 + bugfix/all/security-keyctl-missing-kfree.patch
 + bugfix/all/ecryptfs-check-readlink-result-before-use.patch
 + bugfix/x86/dell_rbu-use-scnprintf-instead-of-sprintf.patch
++ bugfix/all/net-SO_BSDCOMPAT-leak.patch
++ bugfix/all/net-SO_BSDCOMPAT-leak-2.patch

More information about the Kernel-svn-changes mailing list