[kernel] r20000 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all

Dann Frazier dannf at alioth.debian.org
Wed May 1 07:24:27 UTC 2013


Author: dannf
Date: Wed May  1 07:24:27 2013
New Revision: 20000

Log:
iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() (CVE-2013-3229)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Wed May  1 07:19:21 2013	(r19999)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Wed May  1 07:24:27 2013	(r20000)
@@ -9,6 +9,7 @@
   * Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()
     (CVE-2013-3225)
   * irda: Fix missing msg_namelen update in irda_recvmsg_dgram() (CVE-2013-3228)
+  * iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() (CVE-2013-3229)
 
   [ Ben Hutchings ]
   * ptrace: Fix ptrace when task is in task_is_stopped() state

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch	Wed May  1 07:24:27 2013	(r20000)
@@ -0,0 +1,31 @@
+From a5598bd9c087dc0efc250a5221e5d0e6f584ee88 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:54 +0000
+Subject: [PATCH] iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about iucv_sock_recvmsg() not filling the msg_name in case it was set.
+
+Cc: Ursula Braun <ursula.braun at de.ibm.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
+index bada1b9..f605b23 100644
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -1160,6 +1160,8 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	struct sk_buff *skb, *rskb, *cskb;
+ 	int err = 0;
+ 
++	msg->msg_namelen = 0;
++
+ 	if ((sk->sk_state == IUCV_DISCONN || sk->sk_state == IUCV_SEVERED) &&
+ 	    skb_queue_empty(&iucv->backlog_skb_q) &&
+ 	    skb_queue_empty(&sk->sk_receive_queue) &&



More information about the Kernel-svn-changes mailing list