[kernel] r20097 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Dann Frazier
dannf at alioth.debian.org
Wed May 15 01:52:12 UTC 2013
Author: dannf
Date: Wed May 15 01:52:11 2013
New Revision: 20097
Log:
tipc: fix info leaks via msg_name in recv_msg/recv_stream (CVE_2013-3235)
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Wed May 15 01:49:35 2013 (r20096)
+++ dists/wheezy-security/linux/debian/changelog Wed May 15 01:52:11 2013 (r20097)
@@ -17,6 +17,7 @@
* iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() (CVE-2013-3229)
* llc: Fix missing msg_namelen update in llc_ui_recvmsg() (CVE-2013-3231)
* rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)
+ * tipc: fix info leaks via msg_name in recv_msg/recv_stream (CVE_2013-3235)
-- dann frazier <dannf at debian.org> Tue, 14 May 2013 11:48:39 -0600
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch Wed May 15 01:52:11 2013 (r20097)
@@ -0,0 +1,66 @@
+From 1ae38900523eaf11a77c73827c096d7e7eade3a4 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:52:00 +0000
+Subject: [PATCH] tipc: fix info leaks via msg_name in recv_msg/recv_stream
+
+[ Upstream commit 60085c3d009b0df252547adb336d1ccca5ce52ec ]
+
+The code in set_orig_addr() does not initialize all of the members of
+struct sockaddr_tipc when filling the sockaddr info -- namely the union
+is only partly filled. This will make recv_msg() and recv_stream() --
+the only users of this function -- leak kernel stack memory as the
+msg_name member is a local variable in net/socket.c.
+
+Additionally to that both recv_msg() and recv_stream() fail to update
+the msg_namelen member to 0 while otherwise returning with 0, i.e.
+"success". This is the case for, e.g., non-blocking sockets. This will
+lead to a 128 byte kernel stack leak in net/socket.c.
+
+Fix the first issue by initializing the memory of the union with
+memset(0). Fix the second one by setting msg_namelen to 0 early as it
+will be updated later if we're going to fill the msg_name member.
+
+Cc: Jon Maloy <jon.maloy at ericsson.com>
+Cc: Allan Stephens <allan.stephens at windriver.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/tipc/socket.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 42b8324..fdf34af 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -829,6 +829,7 @@ static void set_orig_addr(struct msghdr *m, struct tipc_msg *msg)
+ if (addr) {
+ addr->family = AF_TIPC;
+ addr->addrtype = TIPC_ADDR_ID;
++ memset(&addr->addr, 0, sizeof(addr->addr));
+ addr->addr.id.ref = msg_origport(msg);
+ addr->addr.id.node = msg_orignode(msg);
+ addr->addr.name.domain = 0; /* could leave uninitialized */
+@@ -948,6 +949,9 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock,
+ goto exit;
+ }
+
++ /* will be updated in set_orig_addr() if needed */
++ m->msg_namelen = 0;
++
+ timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
+
+@@ -1074,6 +1078,9 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock,
+ goto exit;
+ }
+
++ /* will be updated in set_orig_addr() if needed */
++ m->msg_namelen = 0;
++
+ target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len);
+ timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
+--
+1.7.10.4
+
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Wed May 15 01:49:35 2013 (r20096)
+++ dists/wheezy-security/linux/debian/patches/series Wed May 15 01:52:11 2013 (r20097)
@@ -655,3 +655,4 @@
bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
+bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
More information about the Kernel-svn-changes
mailing list