[kernel] r19999 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed May 1 07:19:22 UTC 2013


Author: dannf
Date: Wed May  1 07:19:21 2013
New Revision: 19999

Log:
irda: Fix missing msg_namelen update in irda_recvmsg_dgram() (CVE-2013-3228)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Wed May  1 07:15:12 2013	(r19998)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Wed May  1 07:19:21 2013	(r19999)
@@ -8,6 +8,7 @@
   * Bluetooth: fix possible info leak in bt_sock_recvmsg() (CVE-2013-3224)
   * Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()
     (CVE-2013-3225)
+  * irda: Fix missing msg_namelen update in irda_recvmsg_dgram() (CVE-2013-3228)
 
   [ Ben Hutchings ]
   * ptrace: Fix ptrace when task is in task_is_stopped() state

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch	Wed May  1 07:19:21 2013	(r19999)
@@ -0,0 +1,37 @@
+From 5ae94c0d2f0bed41d6718be743985d61b7f5c47d Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:53 +0000
+Subject: [PATCH] irda: Fix missing msg_namelen update in irda_recvmsg_dgram()
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about irda_recvmsg_dgram() not filling the msg_name in case it was
+set.
+
+Cc: Samuel Ortiz <samuel at sortiz.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/irda/af_irda.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index d28e7f0..e493b33 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1386,6 +1386,8 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock,
+ 
+ 	IRDA_DEBUG(4, "%s()\n", __func__);
+ 
++	msg->msg_namelen = 0;
++
+ 	skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ 				flags & MSG_DONTWAIT, &err);
+ 	if (!skb)
+-- 
+1.7.10.4
+

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Wed May  1 07:15:12 2013	(r19998)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Wed May  1 07:19:21 2013	(r19999)
@@ -41,3 +41,4 @@
 + bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
 + bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
 + bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
++ bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch



More information about the Kernel-svn-changes mailing list