[kernel] r20003 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sat May 4 00:39:41 UTC 2013 

Author: dannf
Date: Sat May  4 00:39:41 2013
New Revision: 20003

Log:
rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Sat May  4 00:34:44 2013	(r20002)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sat May  4 00:39:41 2013	(r20003)
@@ -11,6 +11,7 @@
   * irda: Fix missing msg_namelen update in irda_recvmsg_dgram() (CVE-2013-3228)
   * iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() (CVE-2013-3229)
   * llc: Fix missing msg_namelen update in llc_ui_recvmsg() (CVE-2013-3231)
+  * rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)
 
   [ Ben Hutchings ]
   * ptrace: Fix ptrace when task is in task_is_stopped() state

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch	Sat May  4 00:39:41 2013	(r20003)
@@ -0,0 +1,36 @@
+From 4a184233f21645cf0b719366210ed445d1024d72 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:59 +0000
+Subject: [PATCH] rose: fix info leak via msg_name in rose_recvmsg()
+
+The code in rose_recvmsg() does not initialize all of the members of
+struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
+Nor does it initialize the padding bytes of the structure inserted by
+the compiler for alignment. This will lead to leaking uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix the issue by initializing the memory used for sockaddr info with
+memset(0).
+
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/rose/af_rose.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index cf68e6e..9c83474 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1253,6 +1253,7 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+ 
+ 	if (srose != NULL) {
++		memset(srose, 0, msg->msg_namelen);
+ 		srose->srose_family = AF_ROSE;
+ 		srose->srose_addr   = rose->dest_addr;
+ 		srose->srose_call   = rose->dest_call;
+-- 
+1.7.10.4
+

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Sat May  4 00:34:44 2013	(r20002)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Sat May  4 00:39:41 2013	(r20003)
@@ -44,3 +44,4 @@
 + bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
 + bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
 + bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
++ bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch

More information about the Kernel-svn-changes mailing list