[kernel] r20096 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Dann Frazier
dannf at alioth.debian.org
Wed May 15 01:49:36 UTC 2013
Author: dannf
Date: Wed May 15 01:49:35 2013
New Revision: 20096
Log:
rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Wed May 15 01:47:04 2013 (r20095)
+++ dists/wheezy-security/linux/debian/changelog Wed May 15 01:49:35 2013 (r20096)
@@ -16,6 +16,7 @@
* irda: Fix missing msg_namelen update in irda_recvmsg_dgram() (CVE-2013-3228)
* iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() (CVE-2013-3229)
* llc: Fix missing msg_namelen update in llc_ui_recvmsg() (CVE-2013-3231)
+ * rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)
-- dann frazier <dannf at debian.org> Tue, 14 May 2013 11:48:39 -0600
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch Wed May 15 01:49:35 2013 (r20096)
@@ -0,0 +1,39 @@
+From f05503a9ef115c505b36fcd75f77b341811e9169 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:59 +0000
+Subject: [PATCH] rose: fix info leak via msg_name in rose_recvmsg()
+
+[ Upstream commit 4a184233f21645cf0b719366210ed445d1024d72 ]
+
+The code in rose_recvmsg() does not initialize all of the members of
+struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
+Nor does it initialize the padding bytes of the structure inserted by
+the compiler for alignment. This will lead to leaking uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix the issue by initializing the memory used for sockaddr info with
+memset(0).
+
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/rose/af_rose.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index f9ea925..1f96fb9 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1258,6 +1258,7 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
+ skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+
+ if (srose != NULL) {
++ memset(srose, 0, msg->msg_namelen);
+ srose->srose_family = AF_ROSE;
+ srose->srose_addr = rose->dest_addr;
+ srose->srose_call = rose->dest_call;
+--
+1.7.10.4
+
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Wed May 15 01:47:04 2013 (r20095)
+++ dists/wheezy-security/linux/debian/patches/series Wed May 15 01:49:35 2013 (r20096)
@@ -654,3 +654,4 @@
bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
+bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
More information about the Kernel-svn-changes
mailing list