[kernel] r20004 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sat May 4 00:56:56 UTC 2013 

Author: dannf
Date: Sat May  4 00:56:55 2013
New Revision: 20004

Log:
tipc: fix info leaks via msg_name in recv_msg/recv_stream (CVE-2013-3235)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Sat May  4 00:39:41 2013	(r20003)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sat May  4 00:56:55 2013	(r20004)
@@ -12,6 +12,7 @@
   * iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() (CVE-2013-3229)
   * llc: Fix missing msg_namelen update in llc_ui_recvmsg() (CVE-2013-3231)
   * rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)
+  * tipc: fix info leaks via msg_name in recv_msg/recv_stream (CVE-2013-3235)
 
   [ Ben Hutchings ]
   * ptrace: Fix ptrace when task is in task_is_stopped() state

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch	Sat May  4 00:56:55 2013	(r20004)
@@ -0,0 +1,70 @@
+From 60085c3d009b0df252547adb336d1ccca5ce52ec Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:52:00 +0000
+Subject: [PATCH] tipc: fix info leaks via msg_name in recv_msg/recv_stream
+
+The code in set_orig_addr() does not initialize all of the members of
+struct sockaddr_tipc when filling the sockaddr info -- namely the union
+is only partly filled. This will make recv_msg() and recv_stream() --
+the only users of this function -- leak kernel stack memory as the
+msg_name member is a local variable in net/socket.c.
+
+Additionally to that both recv_msg() and recv_stream() fail to update
+the msg_namelen member to 0 while otherwise returning with 0, i.e.
+"success". This is the case for, e.g., non-blocking sockets. This will
+lead to a 128 byte kernel stack leak in net/socket.c.
+
+Fix the first issue by initializing the memory of the union with
+memset(0). Fix the second one by setting msg_namelen to 0 early as it
+will be updated later if we're going to fill the msg_name member.
+
+Cc: Jon Maloy <jon.maloy at ericsson.com>
+Cc: Allan Stephens <allan.stephens at windriver.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 523efbb..2984999 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1275,6 +1275,7 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+ 
+ 	if (srose != NULL) {
++		memset(srose, 0, msg->msg_namelen);
+ 		srose->srose_family = AF_ROSE;
+ 		srose->srose_addr   = rose->dest_addr;
+ 		srose->srose_call   = rose->dest_call;
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index bf4b320..f5b0547 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -800,6 +800,7 @@ static void set_orig_addr(struct msghdr *m, struct tipc_msg *msg)
+ 	if (addr) {
+ 		addr->family = AF_TIPC;
+ 		addr->addrtype = TIPC_ADDR_ID;
++		memset(&addr->addr, 0, sizeof(addr->addr));
+ 		addr->addr.id.ref = msg_origport(msg);
+ 		addr->addr.id.node = msg_orignode(msg);
+ 		addr->addr.name.domain = 0;   	/* could leave uninitialized */
+@@ -916,6 +917,9 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock,
+ 		goto exit;
+ 	}
+ 
++	/* will be updated in set_orig_addr() if needed */
++	m->msg_namelen = 0;
++
+ restart:
+ 
+ 	/* Look for a message in receive queue; wait if necessary */
+@@ -1049,6 +1053,9 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock,
+ 		goto exit;
+ 	}
+ 
++	/* will be updated in set_orig_addr() if needed */
++	m->msg_namelen = 0;
++
+ restart:
+ 
+ 	/* Look for a message in receive queue; wait if necessary */

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Sat May  4 00:39:41 2013	(r20003)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Sat May  4 00:56:55 2013	(r20004)
@@ -45,3 +45,4 @@
 + bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
 + bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
 + bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
++ bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch

More information about the Kernel-svn-changes mailing list