[kernel] r20088 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all

Dann Frazier dannf at alioth.debian.org
Wed May 15 01:16:07 UTC 2013 

Author: dannf
Date: Wed May 15 01:16:06 2013
New Revision: 20088

Log:
atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog	Wed May 15 01:15:01 2013	(r20087)
+++ dists/wheezy-security/linux/debian/changelog	Wed May 15 01:16:06 2013	(r20088)
@@ -6,6 +6,7 @@
     (CVE-2013-2015)
   * crypto: algif - suppress sending source address information in recvmsg
     (CVE-2013-3076)
+  * atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
 
  -- dann frazier <dannf at debian.org>  Tue, 14 May 2013 11:48:39 -0600
 

Added: dists/wheezy-security/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch	Wed May 15 01:16:06 2013	(r20088)
@@ -0,0 +1,38 @@
+From 2a8c07b253bac436358adb9eb96a37dd223ef120 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:47 +0000
+Subject: [PATCH] atm: update msg_namelen in vcc_recvmsg()
+
+[ Upstream commit 9b3e617f3df53822345a8573b6d358f6b9e5ed87 ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about vcc_recvmsg() not filling the msg_name in case it was set.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/atm/common.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/atm/common.c b/net/atm/common.c
+index 0ca06e8..43b6bfe 100644
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -500,6 +500,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
+ 	struct sk_buff *skb;
+ 	int copied, error = -EINVAL;
+ 
++	msg->msg_namelen = 0;
++
+ 	if (sock->state != SS_CONNECTED)
+ 		return -ENOTCONN;
+ 	if (flags & ~MSG_DONTWAIT)		/* only handle MSG_DONTWAIT */
+-- 
+1.7.10.4
+

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Wed May 15 01:15:01 2013	(r20087)
+++ dists/wheezy-security/linux/debian/patches/series	Wed May 15 01:16:06 2013	(r20088)
@@ -646,3 +646,4 @@
 bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch
 bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch
 bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch
+bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch

More information about the Kernel-svn-changes mailing list