[kernel] r12951 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Feb 25 18:00:53 UTC 2009
Author: dannf
Date: Wed Feb 25 18:00:49 2009
New Revision: 12951
Log:
Fix sensitive memory leak in SO_BSDCOMPAT gsopt (CVE-2009-0676)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/13lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog (original)
+++ dists/lenny-security/linux-2.6/debian/changelog Wed Feb 25 18:00:49 2009
@@ -7,8 +7,9 @@
* security: introduce missing kfree (CVE-2009-0031)
* eCryptfs: check readlink result for error before use (CVE-2009-0269)
* dell_rbu: use scnprintf instead of less secure sprintf (CVE-2009-0322)
+ * Fix sensitive memory leak in SO_BSDCOMPAT gsopt (CVE-2009-0676)
- -- dann frazier <dannf at debian.org> Fri, 13 Feb 2009 10:46:22 -0700
+ -- dann frazier <dannf at debian.org> Tue, 24 Feb 2009 23:00:01 -0700
linux-2.6 (2.6.26-13) unstable; urgency=high
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
==============================================================================
--- (empty file)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch Wed Feb 25 18:00:49 2009
@@ -0,0 +1,31 @@
+From: Eugene Teo <eugeneteo at kernel.sg>
+Date: Mon, 23 Feb 2009 23:38:41 +0000 (-0800)
+Subject: net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=50fee1dec5d71b8a14c1b82f2f42e16adc227f8b
+
+net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+
+The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note
+that the same problem of leaking kernel memory will reappear if someone
+on some architecture uses struct timeval with some internal padding (for
+example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to
+leak the padded bytes to userspace.
+
+Signed-off-by: Eugene Teo <eugeneteo at kernel.sg>
+Reported-by: Mikulas Patocka <mpatocka at redhat.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 6e4f14d..5f97caa 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -696,7 +696,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+ if (len < 0)
+ return -EINVAL;
+
+- v.val = 0;
++ memset(&v, 0, sizeof(v));
+
+ switch(optname) {
+ case SO_DEBUG:
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch
==============================================================================
--- (empty file)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch Wed Feb 25 18:00:49 2009
@@ -0,0 +1,42 @@
+commit df0bca049d01c0ee94afb7cd5dfd959541e6c8da
+Author: Clément Lecigne <clement.lecigne at netasq.com>
+Date: Thu Feb 12 16:59:09 2009 -0800
+
+ net: 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try #2
+
+ In function sock_getsockopt() located in net/core/sock.c, optval v.val
+ is not correctly initialized and directly returned in userland in case
+ we have SO_BSDCOMPAT option set.
+
+ This dummy code should trigger the bug:
+
+ int main(void)
+ {
+ unsigned char buf[4] = { 0, 0, 0, 0 };
+ int len;
+ int sock;
+ sock = socket(33, 2, 2);
+ getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
+ printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
+ close(sock);
+ }
+
+ Here is a patch that fix this bug by initalizing v.val just after its
+ declaration.
+
+ Signed-off-by: Clément Lecigne <clement.lecigne at netasq.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index f3a0d08..6f2e133 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -696,6 +696,8 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+ if (len < 0)
+ return -EINVAL;
+
++ v.val = 0;
++
+ switch(optname) {
+ case SO_DEBUG:
+ v.val = sock_flag(sk, SOCK_DBG);
Modified: dists/lenny-security/linux-2.6/debian/patches/series/13lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/13lenny1 (original)
+++ dists/lenny-security/linux-2.6/debian/patches/series/13lenny1 Wed Feb 25 18:00:49 2009
@@ -48,3 +48,5 @@
+ bugfix/all/security-keyctl-missing-kfree.patch
+ bugfix/all/ecryptfs-check-readlink-result-before-use.patch
+ bugfix/x86/dell_rbu-use-scnprintf-instead-of-sprintf.patch
++ bugfix/all/net-SO_BSDCOMPAT-leak.patch
++ bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
More information about the Kernel-svn-changes
mailing list