[kernel] r19995 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed May 1 07:00:55 UTC 2013
Author: dannf
Date: Wed May 1 07:00:55 2013
New Revision: 19995
Log:
atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Wed May 1 06:13:24 2013 (r19994)
+++ dists/squeeze-security/linux-2.6/debian/changelog Wed May 1 07:00:55 2013 (r19995)
@@ -3,6 +3,7 @@
[ dann frazier ]
* USB: io_ti: Fix NULL dereference in chase_port() (CVE-2013-1774)
* keys: fix race with concurrent install_user_keyrings() (CVE-2013-1792)
+ * atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
[ Ben Hutchings ]
* ptrace: Fix ptrace when task is in task_is_stopped() state
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch Wed May 1 07:00:55 2013 (r19995)
@@ -0,0 +1,35 @@
+From 9b3e617f3df53822345a8573b6d358f6b9e5ed87 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:47 +0000
+Subject: [PATCH] atm: update msg_namelen in vcc_recvmsg()
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about vcc_recvmsg() not filling the msg_name in case it was set.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/atm/common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/atm/common.c b/net/atm/common.c
+index 7b49100..737bef5 100644
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -531,6 +531,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
+ struct sk_buff *skb;
+ int copied, error = -EINVAL;
+
++ msg->msg_namelen = 0;
++
+ if (sock->state != SS_CONNECTED)
+ return -ENOTCONN;
+
+--
+1.7.10.4
+
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Wed May 1 06:13:24 2013 (r19994)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Wed May 1 07:00:55 2013 (r19995)
@@ -37,3 +37,4 @@
+ bugfix/all/intel-iommu-Flush-unmaps-at-domain_exit.patch
+ bugfix/all/fs-compat_ioctl.c-VIDEO_SET_SPU_PALETTE-missing-erro.patch
+ features/all/tg3/0209-tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
++ bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
More information about the Kernel-svn-changes
mailing list