[kernel] r19996 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed May 1 07:06:42 UTC 2013
Author: dannf
Date: Wed May 1 07:06:42 2013
New Revision: 19996
Log:
ax25: fix info leak via msg_name in ax25_recvmsg() (CVE-2013-3223)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Wed May 1 07:00:55 2013 (r19995)
+++ dists/squeeze-security/linux-2.6/debian/changelog Wed May 1 07:06:42 2013 (r19996)
@@ -4,6 +4,7 @@
* USB: io_ti: Fix NULL dereference in chase_port() (CVE-2013-1774)
* keys: fix race with concurrent install_user_keyrings() (CVE-2013-1792)
* atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
+ * ax25: fix info leak via msg_name in ax25_recvmsg() (CVE-2013-3223)
[ Ben Hutchings ]
* ptrace: Fix ptrace when task is in task_is_stopped() state
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch Wed May 1 07:06:42 2013 (r19996)
@@ -0,0 +1,38 @@
+From ef3313e84acbf349caecae942ab3ab731471f1a1 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:48 +0000
+Subject: [PATCH] ax25: fix info leak via msg_name in ax25_recvmsg()
+
+When msg_namelen is non-zero the sockaddr info gets filled out, as
+requested, but the code fails to initialize the padding bytes of struct
+sockaddr_ax25 inserted by the compiler for alignment. Additionally the
+msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
+not always filled up to this size.
+
+Both issues lead to the fact that the code will leak uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix both issues by initializing the memory with memset(0).
+
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ax25/af_ax25.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index 7b11f8b..e277e38 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1642,6 +1642,7 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock,
+ ax25_address src;
+ const unsigned char *mac = skb_mac_header(skb);
+
++ memset(sax, 0, sizeof(struct full_sockaddr_ax25));
+ ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
+ &digi, NULL, NULL);
+ sax->sax25_family = AF_AX25;
+--
+1.7.10.4
+
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Wed May 1 07:00:55 2013 (r19995)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Wed May 1 07:06:42 2013 (r19996)
@@ -38,3 +38,4 @@
+ bugfix/all/fs-compat_ioctl.c-VIDEO_SET_SPU_PALETTE-missing-erro.patch
+ features/all/tg3/0209-tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
+ bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
++ bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
More information about the Kernel-svn-changes
mailing list