[kernel] r19998 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed May 1 07:15:13 UTC 2013 

Author: dannf
Date: Wed May  1 07:15:12 2013
New Revision: 19998

Log:
Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()
(CVE-2013-3225)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Wed May  1 07:12:22 2013	(r19997)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Wed May  1 07:15:12 2013	(r19998)
@@ -6,6 +6,8 @@
   * atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
   * ax25: fix info leak via msg_name in ax25_recvmsg() (CVE-2013-3223)
   * Bluetooth: fix possible info leak in bt_sock_recvmsg() (CVE-2013-3224)
+  * Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()
+    (CVE-2013-3225)
 
   [ Ben Hutchings ]
   * ptrace: Fix ptrace when task is in task_is_stopped() state

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch	Wed May  1 07:15:12 2013	(r19998)
@@ -0,0 +1,37 @@
+From e11e0455c0d7d3d62276a0c55d9dfbc16779d691 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:50 +0000
+Subject: [PATCH] Bluetooth: RFCOMM - Fix missing msg_namelen update in
+ rfcomm_sock_recvmsg()
+
+If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
+early with 0 without updating the possibly set msg_namelen member. This,
+in turn, leads to a 128 byte kernel stack leak in net/socket.c.
+
+Fix this by updating msg_namelen in this case. For all other cases it
+will be handled in bt_sock_stream_recvmsg().
+
+Cc: Marcel Holtmann <marcel at holtmann.org>
+Cc: Gustavo Padovan <gustavo at padovan.org>
+Cc: Johan Hedberg <johan.hedberg at gmail.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/bluetooth/rfcomm/sock.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index c23bae8..7c9224b 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -608,6 +608,7 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 
+ 	if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
+ 		rfcomm_dlc_accept(d);
++		msg->msg_namelen = 0;
+ 		return 0;
+ 	}
+ 
+-- 
+1.7.10.4
+

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Wed May  1 07:12:22 2013	(r19997)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Wed May  1 07:15:12 2013	(r19998)
@@ -40,3 +40,4 @@
 + bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
 + bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
 + bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
++ bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch

More information about the Kernel-svn-changes mailing list