[kernel] r20097 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all

Dann Frazier dannf at alioth.debian.org
Wed May 15 01:52:12 UTC 2013 

Author: dannf
Date: Wed May 15 01:52:11 2013
New Revision: 20097

Log:
tipc: fix info leaks via msg_name in  recv_msg/recv_stream (CVE_2013-3235)

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog	Wed May 15 01:49:35 2013	(r20096)
+++ dists/wheezy-security/linux/debian/changelog	Wed May 15 01:52:11 2013	(r20097)
@@ -17,6 +17,7 @@
   * iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() (CVE-2013-3229)
   * llc: Fix missing msg_namelen update in  llc_ui_recvmsg() (CVE-2013-3231)
   * rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)
+  * tipc: fix info leaks via msg_name in  recv_msg/recv_stream (CVE_2013-3235)
 
  -- dann frazier <dannf at debian.org>  Tue, 14 May 2013 11:48:39 -0600
 

Added: dists/wheezy-security/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch	Wed May 15 01:52:11 2013	(r20097)
@@ -0,0 +1,66 @@
+From 1ae38900523eaf11a77c73827c096d7e7eade3a4 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:52:00 +0000
+Subject: [PATCH] tipc: fix info leaks via msg_name in  recv_msg/recv_stream
+
+[ Upstream commit 60085c3d009b0df252547adb336d1ccca5ce52ec ]
+
+The code in set_orig_addr() does not initialize all of the members of
+struct sockaddr_tipc when filling the sockaddr info -- namely the union
+is only partly filled. This will make recv_msg() and recv_stream() --
+the only users of this function -- leak kernel stack memory as the
+msg_name member is a local variable in net/socket.c.
+
+Additionally to that both recv_msg() and recv_stream() fail to update
+the msg_namelen member to 0 while otherwise returning with 0, i.e.
+"success". This is the case for, e.g., non-blocking sockets. This will
+lead to a 128 byte kernel stack leak in net/socket.c.
+
+Fix the first issue by initializing the memory of the union with
+memset(0). Fix the second one by setting msg_namelen to 0 early as it
+will be updated later if we're going to fill the msg_name member.
+
+Cc: Jon Maloy <jon.maloy at ericsson.com>
+Cc: Allan Stephens <allan.stephens at windriver.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/tipc/socket.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 42b8324..fdf34af 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -829,6 +829,7 @@ static void set_orig_addr(struct msghdr *m, struct tipc_msg *msg)
+ 	if (addr) {
+ 		addr->family = AF_TIPC;
+ 		addr->addrtype = TIPC_ADDR_ID;
++		memset(&addr->addr, 0, sizeof(addr->addr));
+ 		addr->addr.id.ref = msg_origport(msg);
+ 		addr->addr.id.node = msg_orignode(msg);
+ 		addr->addr.name.domain = 0;	/* could leave uninitialized */
+@@ -948,6 +949,9 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock,
+ 		goto exit;
+ 	}
+ 
++	/* will be updated in set_orig_addr() if needed */
++	m->msg_namelen = 0;
++
+ 	timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
+ 
+@@ -1074,6 +1078,9 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock,
+ 		goto exit;
+ 	}
+ 
++	/* will be updated in set_orig_addr() if needed */
++	m->msg_namelen = 0;
++
+ 	target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len);
+ 	timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
+-- 
+1.7.10.4
+

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Wed May 15 01:49:35 2013	(r20096)
+++ dists/wheezy-security/linux/debian/patches/series	Wed May 15 01:52:11 2013	(r20097)
@@ -655,3 +655,4 @@
 bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
 bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
 bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
+bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch

More information about the Kernel-svn-changes mailing list