[kernel] r16580 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all

Sun Nov 21 00:19:40 UTC 2010

Author: dannf
Date: Sun Nov 21 00:19:36 2010
New Revision: 16580

Log:
net: packet: fix information leak to userland (CVE-2010-3876)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-packet-fix-information-leak-to-userland.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Sat Nov 20 23:31:59 2010	(r16579)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Nov 21 00:19:36 2010	(r16580)
@@ -25,6 +25,7 @@
      - Resolves kernel heap overflow in the TIPC protcol (CVE-2010-3859)
   * net: ax25: fix information leak to userland (CVE-2010-3875)
   * can-bcm: fix minor heap overflow (CVE-2010-3874)
+  * net: packet: fix information leak to userland (CVE-2010-3876)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-packet-fix-information-leak-to-userland.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-packet-fix-information-leak-to-userland.patch	Sun Nov 21 00:19:36 2010	(r16580)
@@ -0,0 +1,40 @@
+commit 9a3e5ca92a4d5d61e9e65f61112e7bf194c16022
+Author: Vasiliy Kulikov <segooon at gmail.com>
+Date:   Wed Nov 10 12:09:10 2010 -0800
+
+    net: packet: fix information leak to userland
+    
+    [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    packet_getname_spkt() doesn't initialize all members of sa_data field of
+    sockaddr struct if strlen(dev->name) < 13.  This structure is then copied
+    to userland.  It leads to leaking of contents of kernel stack memory.
+    We have to fully fill sa_data with strncpy() instead of strlcpy().
+    
+    The same with packet_getname(): it doesn't initialize sll_pkttype field of
+    sockaddr_ll.  Set it to zero.
+    
+    Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 2cee87d..49ef3e6 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1137,7 +1137,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
+ 	uaddr->sa_family = AF_PACKET;
+ 	dev = dev_get_by_index(sock_net(sk), pkt_sk(sk)->ifindex);
+ 	if (dev) {
+-		strlcpy(uaddr->sa_data, dev->name, 15);
++		strlcpy(uaddr->sa_data, dev->name, 14);
+ 		dev_put(dev);
+ 	} else
+ 		memset(uaddr->sa_data, 0, 14);
+@@ -1160,6 +1160,7 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr,
+ 	sll->sll_family = AF_PACKET;
+ 	sll->sll_ifindex = po->ifindex;
+ 	sll->sll_protocol = po->num;
++	sll->sll_pkttype = 0;
+ 	dev = dev_get_by_index(sock_net(sk), po->ifindex);
+ 	if (dev) {
+ 		sll->sll_hatype = dev->type;

