[kernel] r20096 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all

Dann Frazier dannf at alioth.debian.org
Wed May 15 01:49:36 UTC 2013


Author: dannf
Date: Wed May 15 01:49:35 2013
New Revision: 20096

Log:
rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog	Wed May 15 01:47:04 2013	(r20095)
+++ dists/wheezy-security/linux/debian/changelog	Wed May 15 01:49:35 2013	(r20096)
@@ -16,6 +16,7 @@
   * irda: Fix missing msg_namelen update in irda_recvmsg_dgram() (CVE-2013-3228)
   * iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() (CVE-2013-3229)
   * llc: Fix missing msg_namelen update in  llc_ui_recvmsg() (CVE-2013-3231)
+  * rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)
 
  -- dann frazier <dannf at debian.org>  Tue, 14 May 2013 11:48:39 -0600
 

Added: dists/wheezy-security/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch	Wed May 15 01:49:35 2013	(r20096)
@@ -0,0 +1,39 @@
+From f05503a9ef115c505b36fcd75f77b341811e9169 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:59 +0000
+Subject: [PATCH] rose: fix info leak via msg_name in rose_recvmsg()
+
+[ Upstream commit 4a184233f21645cf0b719366210ed445d1024d72 ]
+
+The code in rose_recvmsg() does not initialize all of the members of
+struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
+Nor does it initialize the padding bytes of the structure inserted by
+the compiler for alignment. This will lead to leaking uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix the issue by initializing the memory used for sockaddr info with
+memset(0).
+
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/rose/af_rose.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index f9ea925..1f96fb9 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1258,6 +1258,7 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+ 
+ 	if (srose != NULL) {
++		memset(srose, 0, msg->msg_namelen);
+ 		srose->srose_family = AF_ROSE;
+ 		srose->srose_addr   = rose->dest_addr;
+ 		srose->srose_call   = rose->dest_call;
+-- 
+1.7.10.4
+

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Wed May 15 01:47:04 2013	(r20095)
+++ dists/wheezy-security/linux/debian/patches/series	Wed May 15 01:49:35 2013	(r20096)
@@ -654,3 +654,4 @@
 bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
 bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
 bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
+bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch



More information about the Kernel-svn-changes mailing list