[linux] 04/06: Add networking information leak fixes

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Fri Jun 24 19:56:45 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 3c3898ef932d9fe4ff324f05b358b215eadc0dbe
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Fri Jun 24 21:46:49 2016 +0200

    Add networking information leak fixes
---
 debian/changelog                                   |  3 ++
 .../net-fix-a-kernel-infoleak-in-x25-module.patch  | 29 ++++++++++++++
 .../bugfix/all/net-fix-infoleak-in-llc.patch       | 29 ++++++++++++++
 .../bugfix/all/net-fix-infoleak-in-rtnetlink.patch | 46 ++++++++++++++++++++++
 debian/patches/series                              |  3 ++
 5 files changed, 110 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index a6cdf8c..e3c7e08 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -36,6 +36,9 @@ linux (3.16.7-ckt25-2+deb8u1) UNRELEASED; urgency=medium
   * USB: digi_acceleport: do sanity checking for the number of ports
     (CVE-2016-3140)
   * mm: migrate dirty page without clear_page_dirty_for_io etc (CVE-2016-3070)
+  * net: fix infoleak in llc (CVE-2016-4485)
+  * net: fix infoleak in rtnetlink (CVE-2016-4486)
+  * net: fix a kernel infoleak in x25 module (CVE-2016-4580)
 
   [ Salvatore Bonaccorso ]
   * [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955)
diff --git a/debian/patches/bugfix/all/net-fix-a-kernel-infoleak-in-x25-module.patch b/debian/patches/bugfix/all/net-fix-a-kernel-infoleak-in-x25-module.patch
new file mode 100644
index 0000000..93d3eeb
--- /dev/null
+++ b/debian/patches/bugfix/all/net-fix-a-kernel-infoleak-in-x25-module.patch
@@ -0,0 +1,29 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Sun, 8 May 2016 12:10:14 -0400
+Subject: net: fix a kernel infoleak in x25 module
+Origin: https://git.kernel.org/linus/79e48650320e6fba48369fccf13fd045315b19b8
+
+Stack object "dte_facilities" is allocated in x25_rx_call_request(),
+which is supposed to be initialized in x25_negotiate_facilities.
+However, 5 fields (8 bytes in total) are not initialized. This
+object is then copied to userland via copy_to_user, thus infoleak
+occurs.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/x25/x25_facilities.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
+index 7ecd04c21360..997ff7b2509b 100644
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -277,6 +277,7 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk,
+ 
+ 	memset(&theirs, 0, sizeof(theirs));
+ 	memcpy(new, ours, sizeof(*new));
++	memset(dte, 0, sizeof(*dte));
+ 
+ 	len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask);
+ 	if (len < 0)
diff --git a/debian/patches/bugfix/all/net-fix-infoleak-in-llc.patch b/debian/patches/bugfix/all/net-fix-infoleak-in-llc.patch
new file mode 100644
index 0000000..c94651b
--- /dev/null
+++ b/debian/patches/bugfix/all/net-fix-infoleak-in-llc.patch
@@ -0,0 +1,29 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Tue, 3 May 2016 16:35:05 -0400
+Subject: net: fix infoleak in llc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/b8670c09f37bdf2847cc44f36511a53afc6161fd
+
+The stack object “info” has a total size of 12 bytes. Its last byte
+is padding which is not initialized and leaked via “put_cmsg”.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/llc/af_llc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
+index b3c52e3f689a..8ae3ed97d95c 100644
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb)
+ 	if (llc->cmsg_flags & LLC_CMSG_PKTINFO) {
+ 		struct llc_pktinfo info;
+ 
++		memset(&info, 0, sizeof(info));
+ 		info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex;
+ 		llc_pdu_decode_dsap(skb, &info.lpi_sap);
+ 		llc_pdu_decode_da(skb, info.lpi_mac);
diff --git a/debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch b/debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch
new file mode 100644
index 0000000..265c1b8
--- /dev/null
+++ b/debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch
@@ -0,0 +1,46 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Tue, 3 May 2016 16:46:24 -0400
+Subject: net: fix infoleak in rtnetlink
+Origin: https://git.kernel.org/linus/5f8e44741f9f216e33736ea4ec65ca9ac03036e6
+
+The stack object “map” has a total size of 32 bytes. Its last 4
+bytes are padding generated by compiler. These padding bytes are
+not initialized and sent out via “nla_put”.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: adjust context, indentation]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/core/rtnetlink.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 147c63784052..e4666af74141 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1013,14 +1013,16 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
+ 		goto nla_put_failure;
+ 
+ 	if (1) {
+-		struct rtnl_link_ifmap map = {
+-			.mem_start   = dev->mem_start,
+-			.mem_end     = dev->mem_end,
+-			.base_addr   = dev->base_addr,
+-			.irq         = dev->irq,
+-			.dma         = dev->dma,
+-			.port        = dev->if_port,
+-		};
++		struct rtnl_link_ifmap map;
++
++		memset(&map, 0, sizeof(map));
++		map.mem_start   = dev->mem_start;
++		map.mem_end     = dev->mem_end;
++		map.base_addr   = dev->base_addr;
++		map.irq         = dev->irq;
++		map.dma         = dev->dma;
++		map.port        = dev->if_port;
++
+ 		if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
+ 			goto nla_put_failure;
+ 	}
diff --git a/debian/patches/series b/debian/patches/series
index e9ae6d7..9fb3138 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -697,3 +697,6 @@ bugfix/all/usb-cypress_m8-add-endpoint-sanity-check.patch
 bugfix/all/usb-cdc-acm-more-sanity-checking.patch
 bugfix/all/usb-digi_acceleport-do-sanity-checking-for-the-numbe.patch
 bugfix/all/mm-migrate-dirty-page-without-clear_page_dirty_for_io-etc.patch
+bugfix/all/net-fix-infoleak-in-llc.patch
+bugfix/all/net-fix-infoleak-in-rtnetlink.patch
+bugfix/all/net-fix-a-kernel-infoleak-in-x25-module.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list