[kernel] r20002 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat May 4 00:34:44 UTC 2013
Author: dannf
Date: Sat May 4 00:34:44 2013
New Revision: 20002
Log:
llc: Fix missing msg_namelen update in llc_ui_recvmsg() (CVE-2013-3231)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Wed May 1 07:25:07 2013 (r20001)
+++ dists/squeeze-security/linux-2.6/debian/changelog Sat May 4 00:34:44 2013 (r20002)
@@ -10,6 +10,7 @@
(CVE-2013-3225)
* irda: Fix missing msg_namelen update in irda_recvmsg_dgram() (CVE-2013-3228)
* iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() (CVE-2013-3229)
+ * llc: Fix missing msg_namelen update in llc_ui_recvmsg() (CVE-2013-3231)
[ Ben Hutchings ]
* ptrace: Fix ptrace when task is in task_is_stopped() state
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch Sat May 4 00:34:44 2013 (r20002)
@@ -0,0 +1,37 @@
+From c77a4b9cffb6215a15196ec499490d116dfad181 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:56 +0000
+Subject: [PATCH] llc: Fix missing msg_namelen update in llc_ui_recvmsg()
+
+For stream sockets the code misses to update the msg_namelen member
+to 0 and therefore makes net/socket.c leak the local, uninitialized
+sockaddr_storage variable to userland -- 128 bytes of kernel stack
+memory. The msg_namelen update is also missing for datagram sockets
+in case the socket is shutting down during receive.
+
+Fix both issues by setting msg_namelen to 0 early. It will be
+updated later if we're going to fill the msg_name member.
+
+Cc: Arnaldo Carvalho de Melo <acme at ghostprotocols.net>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/llc/af_llc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
+index 8870988..48aaa89 100644
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -720,6 +720,8 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
+ int target; /* Read at least this many bytes */
+ long timeo;
+
++ msg->msg_namelen = 0;
++
+ lock_sock(sk);
+ copied = -ENOTCONN;
+ if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN))
+--
+1.7.10.4
+
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Wed May 1 07:25:07 2013 (r20001)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Sat May 4 00:34:44 2013 (r20002)
@@ -43,3 +43,4 @@
+ bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
+ bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
+ bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
++ bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
More information about the Kernel-svn-changes
mailing list