[kernel] r20088 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Dann Frazier
dannf at alioth.debian.org
Wed May 15 01:16:07 UTC 2013
Author: dannf
Date: Wed May 15 01:16:06 2013
New Revision: 20088
Log:
atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Wed May 15 01:15:01 2013 (r20087)
+++ dists/wheezy-security/linux/debian/changelog Wed May 15 01:16:06 2013 (r20088)
@@ -6,6 +6,7 @@
(CVE-2013-2015)
* crypto: algif - suppress sending source address information in recvmsg
(CVE-2013-3076)
+ * atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
-- dann frazier <dannf at debian.org> Tue, 14 May 2013 11:48:39 -0600
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch Wed May 15 01:16:06 2013 (r20088)
@@ -0,0 +1,38 @@
+From 2a8c07b253bac436358adb9eb96a37dd223ef120 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:47 +0000
+Subject: [PATCH] atm: update msg_namelen in vcc_recvmsg()
+
+[ Upstream commit 9b3e617f3df53822345a8573b6d358f6b9e5ed87 ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about vcc_recvmsg() not filling the msg_name in case it was set.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/atm/common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/atm/common.c b/net/atm/common.c
+index 0ca06e8..43b6bfe 100644
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -500,6 +500,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
+ struct sk_buff *skb;
+ int copied, error = -EINVAL;
+
++ msg->msg_namelen = 0;
++
+ if (sock->state != SS_CONNECTED)
+ return -ENOTCONN;
+ if (flags & ~MSG_DONTWAIT) /* only handle MSG_DONTWAIT */
+--
+1.7.10.4
+
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Wed May 15 01:15:01 2013 (r20087)
+++ dists/wheezy-security/linux/debian/patches/series Wed May 15 01:16:06 2013 (r20088)
@@ -646,3 +646,4 @@
bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch
bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch
bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch
+bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
More information about the Kernel-svn-changes
mailing list