[kernel] r16578 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sat Nov 20 23:13:42 UTC 2010 

Author: dannf
Date: Sat Nov 20 23:13:40 2010
New Revision: 16578

Log:
net: ax25: fix information leak to userland (CVE-2010-3875)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sat Nov 20 21:39:36 2010	(r16577)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sat Nov 20 23:13:40 2010	(r16578)
@@ -23,6 +23,7 @@
      - Truncate recvfrom and sendto length to INT_MAX.
      - Limit socket I/O iovec total length to INT_MAX.
      - Resolves kernel heap overflow in the TIPC protcol (CVE-2010-3859)
+  * net: ax25: fix information leak to userland (CVE-2010-3875)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland.patch	Sat Nov 20 23:13:40 2010	(r16578)
@@ -0,0 +1,34 @@
+commit 4b162edbd50eafb140fb25446822974ae611344f
+Author: Vasiliy Kulikov <segooon at gmail.com>
+Date:   Wed Nov 10 10:14:33 2010 -0800
+
+    net: ax25: fix information leak to userland
+    
+    Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
+    field of fsa struct, also the struct has padding bytes between
+    sax25_call and sax25_ndigis fields.  This structure is then copied to
+    userland.  It leads to leaking of contents of kernel stack memory.
+    
+    Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index 3c10a11..1fa11ab 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1385,6 +1385,7 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
+ 	ax25_cb *ax25;
+ 	int err = 0;
+ 
++	memset(fsa, 0, sizeof(fsa));
+ 	lock_sock(sk);
+ 	ax25 = ax25_sk(sk);
+ 
+@@ -1396,7 +1397,6 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
+ 
+ 		fsa->fsa_ax25.sax25_family = AF_AX25;
+ 		fsa->fsa_ax25.sax25_call   = ax25->dest_addr;
+-		fsa->fsa_ax25.sax25_ndigis = 0;
+ 
+ 		if (ax25->digipeat != NULL) {
+ 			ndigi = ax25->digipeat->ndigi;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sat Nov 20 21:39:36 2010	(r16577)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sat Nov 20 23:13:40 2010	(r16578)
@@ -19,3 +19,4 @@
 + bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch
 + bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
 + bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
++ bugfix/all/net-ax25-fix-information-leak-to-userland.patch

More information about the Kernel-svn-changes mailing list