[kernel/f18] CVE-2013-3222 atm: update msg_namelen in vcc_recvmsg (rhbz 955216 955228)
Josh Boyer
jwboyer at fedoraproject.org
Mon Apr 22 18:08:57 UTC 2013
commit 811fc75c6ee6320da7f6718013ebb8d87c35fd52
Author: Josh Boyer <jwboyer at redhat.com>
Date: Mon Apr 22 14:07:48 2013 -0400
CVE-2013-3222 atm: update msg_namelen in vcc_recvmsg (rhbz 955216 955228)
atm-update-msg_namelen-in-vcc_recvmsg.patch | 35 +++++++++++++++++++++++++++
kernel.spec | 11 +++++++-
2 files changed, 45 insertions(+), 1 deletions(-)
---
diff --git a/atm-update-msg_namelen-in-vcc_recvmsg.patch b/atm-update-msg_namelen-in-vcc_recvmsg.patch
new file mode 100644
index 0000000..a22ef9c
--- /dev/null
+++ b/atm-update-msg_namelen-in-vcc_recvmsg.patch
@@ -0,0 +1,35 @@
+From 9b3e617f3df53822345a8573b6d358f6b9e5ed87 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:47 +0000
+Subject: [PATCH] atm: update msg_namelen in vcc_recvmsg()
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about vcc_recvmsg() not filling the msg_name in case it was set.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/atm/common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/atm/common.c b/net/atm/common.c
+index 7b49100..737bef5 100644
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -531,6 +531,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
+ struct sk_buff *skb;
+ int copied, error = -EINVAL;
+
++ msg->msg_namelen = 0;
++
+ if (sock->state != SS_CONNECTED)
+ return -ENOTCONN;
+
+--
+1.8.1.4
+
diff --git a/kernel.spec b/kernel.spec
index a4d6d13..fe363c9 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 202
+%global baserelease 203
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -799,6 +799,9 @@ Patch25011: iwlwifi-fix-freeing-uninitialized-pointer.patch
#rhbz 947539
Patch25013: md-raid1-10-Handle-REQ_WRITE_SAME-flag-in-write-bios.patch
+#CVE-2013-3222 rhbz 955216 955228
+Patch25014: atm-update-msg_namelen-in-vcc_recvmsg.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1548,6 +1551,9 @@ ApplyPatch iwlwifi-fix-freeing-uninitialized-pointer.patch
#rhbz 947539
ApplyPatch md-raid1-10-Handle-REQ_WRITE_SAME-flag-in-write-bios.patch
+#CVE-2013-3222 rhbz 955216 955228
+ApplyPatch atm-update-msg_namelen-in-vcc_recvmsg.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2405,6 +2411,9 @@ fi
# ||----w |
# || ||
%changelog
+* Mon Apr 22 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-3222 atm: update msg_namelen in vcc_recvmsg (rhbz 955216 955228)
+
* Wed Apr 17 2013 Josh Boyer <jwboyer at redhat.com> - 3.8.8-202
- Fix missing raid REQ_WRITE_SAME flag commit (rhbz 947539)
More information about the scm-commits
mailing list