[kernel] r16580 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all
Dann Frazier
dannf at alioth.debian.org
Sun Nov 21 00:19:40 UTC 2010
Author: dannf
Date: Sun Nov 21 00:19:36 2010
New Revision: 16580
Log:
net: packet: fix information leak to userland (CVE-2010-3876)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-packet-fix-information-leak-to-userland.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sat Nov 20 23:31:59 2010 (r16579)
+++ dists/lenny-security/linux-2.6/debian/changelog Sun Nov 21 00:19:36 2010 (r16580)
@@ -25,6 +25,7 @@
- Resolves kernel heap overflow in the TIPC protcol (CVE-2010-3859)
* net: ax25: fix information leak to userland (CVE-2010-3875)
* can-bcm: fix minor heap overflow (CVE-2010-3874)
+ * net: packet: fix information leak to userland (CVE-2010-3876)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-packet-fix-information-leak-to-userland.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-packet-fix-information-leak-to-userland.patch Sun Nov 21 00:19:36 2010 (r16580)
@@ -0,0 +1,40 @@
+commit 9a3e5ca92a4d5d61e9e65f61112e7bf194c16022
+Author: Vasiliy Kulikov <segooon at gmail.com>
+Date: Wed Nov 10 12:09:10 2010 -0800
+
+ net: packet: fix information leak to userland
+
+ [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ packet_getname_spkt() doesn't initialize all members of sa_data field of
+ sockaddr struct if strlen(dev->name) < 13. This structure is then copied
+ to userland. It leads to leaking of contents of kernel stack memory.
+ We have to fully fill sa_data with strncpy() instead of strlcpy().
+
+ The same with packet_getname(): it doesn't initialize sll_pkttype field of
+ sockaddr_ll. Set it to zero.
+
+ Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 2cee87d..49ef3e6 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1137,7 +1137,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
+ uaddr->sa_family = AF_PACKET;
+ dev = dev_get_by_index(sock_net(sk), pkt_sk(sk)->ifindex);
+ if (dev) {
+- strlcpy(uaddr->sa_data, dev->name, 15);
++ strlcpy(uaddr->sa_data, dev->name, 14);
+ dev_put(dev);
+ } else
+ memset(uaddr->sa_data, 0, 14);
+@@ -1160,6 +1160,7 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr,
+ sll->sll_family = AF_PACKET;
+ sll->sll_ifindex = po->ifindex;
+ sll->sll_protocol = po->num;
++ sll->sll_pkttype = 0;
+ dev = dev_get_by_index(sock_net(sk), po->ifindex);
+ if (dev) {
+ sll->sll_hatype = dev->type;
More information about the Kernel-svn-changes
mailing list