[kernel] r20092 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Dann Frazier
dannf at alioth.debian.org
Wed May 15 01:36:40 UTC 2013
Author: dannf
Date: Wed May 15 01:36:39 2013
New Revision: 20092
Log:
caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()
(CVE-2013-3227)
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Wed May 15 01:32:14 2013 (r20091)
+++ dists/wheezy-security/linux/debian/changelog Wed May 15 01:36:39 2013 (r20092)
@@ -11,6 +11,8 @@
* Bluetooth: fix possible info leak in bt_sock_recvmsg() (CVE-2013-3224)
* Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()
(CVE-2013-3225)
+ * caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()
+ (CVE-2013-3227)
-- dann frazier <dannf at debian.org> Tue, 14 May 2013 11:48:39 -0600
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch Wed May 15 01:36:39 2013 (r20092)
@@ -0,0 +1,38 @@
+From 2d6fbfe733f35c6b355c216644e08e149c61b271 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:52 +0000
+Subject: [PATCH] caif: Fix missing msg_namelen update in
+ caif_seqpkt_recvmsg()
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about caif_seqpkt_recvmsg() not filling the msg_name in case it was
+set.
+
+Cc: Sjur Braendeland <sjur.brandeland at stericsson.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/caif/caif_socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
+index 095259f..ff2ff3c 100644
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -286,6 +286,8 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (m->msg_flags&MSG_OOB)
+ goto read_error;
+
++ m->msg_namelen = 0;
++
+ skb = skb_recv_datagram(sk, flags, 0 , &ret);
+ if (!skb)
+ goto read_error;
+--
+1.7.10.4
+
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Wed May 15 01:32:14 2013 (r20091)
+++ dists/wheezy-security/linux/debian/patches/series Wed May 15 01:36:39 2013 (r20092)
@@ -650,3 +650,4 @@
bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
+bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch
More information about the Kernel-svn-changes
mailing list