[kernel] r20089 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all

Dann Frazier dannf at alioth.debian.org
Wed May 15 01:18:49 UTC 2013 

Author: dannf
Date: Wed May 15 01:18:48 2013
New Revision: 20089

Log:
ax25: fix info leak via msg_name in ax25_recvmsg() (CVE-2013-3223)

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog	Wed May 15 01:16:06 2013	(r20088)
+++ dists/wheezy-security/linux/debian/changelog	Wed May 15 01:18:48 2013	(r20089)
@@ -7,6 +7,7 @@
   * crypto: algif - suppress sending source address information in recvmsg
     (CVE-2013-3076)
   * atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
+  * ax25: fix info leak via msg_name in ax25_recvmsg() (CVE-2013-3223)
 
  -- dann frazier <dannf at debian.org>  Tue, 14 May 2013 11:48:39 -0600
 

Added: dists/wheezy-security/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch	Wed May 15 01:18:48 2013	(r20089)
@@ -0,0 +1,41 @@
+From e72f86d5b6602c86efb08443c58086c40228b81b Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:48 +0000
+Subject: [PATCH] ax25: fix info leak via msg_name in ax25_recvmsg()
+
+[ Upstream commit ef3313e84acbf349caecae942ab3ab731471f1a1 ]
+
+When msg_namelen is non-zero the sockaddr info gets filled out, as
+requested, but the code fails to initialize the padding bytes of struct
+sockaddr_ax25 inserted by the compiler for alignment. Additionally the
+msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
+not always filled up to this size.
+
+Both issues lead to the fact that the code will leak uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix both issues by initializing the memory with memset(0).
+
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/ax25/af_ax25.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index b04a6ef..86ac37f 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1641,6 +1641,7 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 		ax25_address src;
+ 		const unsigned char *mac = skb_mac_header(skb);
+ 
++		memset(sax, 0, sizeof(struct full_sockaddr_ax25));
+ 		ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
+ 				&digi, NULL, NULL);
+ 		sax->sax25_family = AF_AX25;
+-- 
+1.7.10.4
+

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Wed May 15 01:16:06 2013	(r20088)
+++ dists/wheezy-security/linux/debian/patches/series	Wed May 15 01:18:48 2013	(r20089)
@@ -647,3 +647,4 @@
 bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch
 bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch
 bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
+bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch

More information about the Kernel-svn-changes mailing list