[kernel] r19997 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed May 1 07:12:23 UTC 2013 

Author: dannf
Date: Wed May  1 07:12:22 2013
New Revision: 19997

Log:
Bluetooth: fix possible info leak in bt_sock_recvmsg() (CVE-2013-3224)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Wed May  1 07:06:42 2013	(r19996)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Wed May  1 07:12:22 2013	(r19997)
@@ -5,6 +5,7 @@
   * keys: fix race with concurrent install_user_keyrings() (CVE-2013-1792)
   * atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
   * ax25: fix info leak via msg_name in ax25_recvmsg() (CVE-2013-3223)
+  * Bluetooth: fix possible info leak in bt_sock_recvmsg() (CVE-2013-3224)
 
   [ Ben Hutchings ]
   * ptrace: Fix ptrace when task is in task_is_stopped() state

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch	Wed May  1 07:12:22 2013	(r19997)
@@ -0,0 +1,41 @@
+From 4683f42fde3977bdb4e8a09622788cc8b5313778 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:49 +0000
+Subject: [PATCH] Bluetooth: fix possible info leak in bt_sock_recvmsg()
+
+In case the socket is already shutting down, bt_sock_recvmsg() returns
+with 0 without updating msg_namelen leading to net/socket.c leaking the
+local, uninitialized sockaddr_storage variable to userland -- 128 bytes
+of kernel stack memory.
+
+Fix this by moving the msg_namelen assignment in front of the shutdown
+test.
+
+Cc: Marcel Holtmann <marcel at holtmann.org>
+Cc: Gustavo Padovan <gustavo at padovan.org>
+Cc: Johan Hedberg <johan.hedberg at gmail.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[dannf: adjusted to apply to Debian's 2.6.32]
+
+diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
+index 8cfb5a8..d7239dd 100644
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -240,14 +240,14 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (flags & (MSG_OOB))
+ 		return -EOPNOTSUPP;
+ 
++	msg->msg_namelen = 0;
++
+ 	if (!(skb = skb_recv_datagram(sk, flags, noblock, &err))) {
+ 		if (sk->sk_shutdown & RCV_SHUTDOWN)
+ 			return 0;
+ 		return err;
+ 	}
+ 
+-	msg->msg_namelen = 0;
+-
+ 	copied = skb->len;
+ 	if (len < copied) {
+ 		msg->msg_flags |= MSG_TRUNC;

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Wed May  1 07:06:42 2013	(r19996)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Wed May  1 07:12:22 2013	(r19997)
@@ -39,3 +39,4 @@
 + features/all/tg3/0209-tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
 + bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
 + bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
++ bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch

More information about the Kernel-svn-changes mailing list