[kernel] r19999 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed May 1 07:19:22 UTC 2013
Author: dannf
Date: Wed May 1 07:19:21 2013
New Revision: 19999
Log:
irda: Fix missing msg_namelen update in irda_recvmsg_dgram() (CVE-2013-3228)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Wed May 1 07:15:12 2013 (r19998)
+++ dists/squeeze-security/linux-2.6/debian/changelog Wed May 1 07:19:21 2013 (r19999)
@@ -8,6 +8,7 @@
* Bluetooth: fix possible info leak in bt_sock_recvmsg() (CVE-2013-3224)
* Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()
(CVE-2013-3225)
+ * irda: Fix missing msg_namelen update in irda_recvmsg_dgram() (CVE-2013-3228)
[ Ben Hutchings ]
* ptrace: Fix ptrace when task is in task_is_stopped() state
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch Wed May 1 07:19:21 2013 (r19999)
@@ -0,0 +1,37 @@
+From 5ae94c0d2f0bed41d6718be743985d61b7f5c47d Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:53 +0000
+Subject: [PATCH] irda: Fix missing msg_namelen update in irda_recvmsg_dgram()
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about irda_recvmsg_dgram() not filling the msg_name in case it was
+set.
+
+Cc: Samuel Ortiz <samuel at sortiz.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/irda/af_irda.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index d28e7f0..e493b33 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1386,6 +1386,8 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock,
+
+ IRDA_DEBUG(4, "%s()\n", __func__);
+
++ msg->msg_namelen = 0;
++
+ skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ flags & MSG_DONTWAIT, &err);
+ if (!skb)
+--
+1.7.10.4
+
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Wed May 1 07:15:12 2013 (r19998)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Wed May 1 07:19:21 2013 (r19999)
@@ -41,3 +41,4 @@
+ bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
+ bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
+ bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
++ bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
More information about the Kernel-svn-changes
mailing list