[kernel] r20090 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Dann Frazier
dannf at alioth.debian.org
Wed May 15 01:22:52 UTC 2013
Author: dannf
Date: Wed May 15 01:22:52 2013
New Revision: 20090
Log:
Bluetooth: fix possible info leak in bt_sock_recvmsg() (CVE-2013-3224)
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Wed May 15 01:18:48 2013 (r20089)
+++ dists/wheezy-security/linux/debian/changelog Wed May 15 01:22:52 2013 (r20090)
@@ -8,6 +8,7 @@
(CVE-2013-3076)
* atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
* ax25: fix info leak via msg_name in ax25_recvmsg() (CVE-2013-3223)
+ * Bluetooth: fix possible info leak in bt_sock_recvmsg() (CVE-2013-3224)
-- dann frazier <dannf at debian.org> Tue, 14 May 2013 11:48:39 -0600
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch Wed May 15 01:22:52 2013 (r20090)
@@ -0,0 +1,50 @@
+From 95ee0fb7a014cdf80be37b329fa462ff3847f7c0 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:49 +0000
+Subject: [PATCH] Bluetooth: fix possible info leak in bt_sock_recvmsg()
+
+[ Upstream commit 4683f42fde3977bdb4e8a09622788cc8b5313778 ]
+
+In case the socket is already shutting down, bt_sock_recvmsg() returns
+with 0 without updating msg_namelen leading to net/socket.c leaking the
+local, uninitialized sockaddr_storage variable to userland -- 128 bytes
+of kernel stack memory.
+
+Fix this by moving the msg_namelen assignment in front of the shutdown
+test.
+
+Cc: Marcel Holtmann <marcel at holtmann.org>
+Cc: Gustavo Padovan <gustavo at padovan.org>
+Cc: Johan Hedberg <johan.hedberg at gmail.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/bluetooth/af_bluetooth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
+index 062124c..838f113 100644
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -245,6 +245,8 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (flags & (MSG_OOB))
+ return -EOPNOTSUPP;
+
++ msg->msg_namelen = 0;
++
+ skb = skb_recv_datagram(sk, flags, noblock, &err);
+ if (!skb) {
+ if (sk->sk_shutdown & RCV_SHUTDOWN)
+@@ -252,8 +254,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ return err;
+ }
+
+- msg->msg_namelen = 0;
+-
+ copied = skb->len;
+ if (len < copied) {
+ msg->msg_flags |= MSG_TRUNC;
+--
+1.7.10.4
+
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Wed May 15 01:18:48 2013 (r20089)
+++ dists/wheezy-security/linux/debian/patches/series Wed May 15 01:22:52 2013 (r20090)
@@ -648,3 +648,4 @@
bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch
bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
+bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
More information about the Kernel-svn-changes
mailing list