[kernel] r19995 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed May 1 07:00:55 UTC 2013 

Author: dannf
Date: Wed May  1 07:00:55 2013
New Revision: 19995

Log:
atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Wed May  1 06:13:24 2013	(r19994)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Wed May  1 07:00:55 2013	(r19995)
@@ -3,6 +3,7 @@
   [ dann frazier ]
   * USB: io_ti: Fix NULL dereference in chase_port() (CVE-2013-1774)
   * keys: fix race with concurrent install_user_keyrings() (CVE-2013-1792)
+  * atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
 
   [ Ben Hutchings ]
   * ptrace: Fix ptrace when task is in task_is_stopped() state

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch	Wed May  1 07:00:55 2013	(r19995)
@@ -0,0 +1,35 @@
+From 9b3e617f3df53822345a8573b6d358f6b9e5ed87 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:47 +0000
+Subject: [PATCH] atm: update msg_namelen in vcc_recvmsg()
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about vcc_recvmsg() not filling the msg_name in case it was set.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/atm/common.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/atm/common.c b/net/atm/common.c
+index 7b49100..737bef5 100644
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -531,6 +531,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
+ 	struct sk_buff *skb;
+ 	int copied, error = -EINVAL;
+ 
++	msg->msg_namelen = 0;
++
+ 	if (sock->state != SS_CONNECTED)
+ 		return -ENOTCONN;
+ 
+-- 
+1.7.10.4
+

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Wed May  1 06:13:24 2013	(r19994)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Wed May  1 07:00:55 2013	(r19995)
@@ -37,3 +37,4 @@
 + bugfix/all/intel-iommu-Flush-unmaps-at-domain_exit.patch
 + bugfix/all/fs-compat_ioctl.c-VIDEO_SET_SPU_PALETTE-missing-erro.patch
 + features/all/tg3/0209-tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
++ bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch

More information about the Kernel-svn-changes mailing list