[kernel/f18] CVE-2013-3222 atm: update msg_namelen in vcc_recvmsg (rhbz 955216 955228)

[Josh Boyer]

commit 811fc75c6ee6320da7f6718013ebb8d87c35fd52
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Mon Apr 22 14:07:48 2013 -0400

    CVE-2013-3222 atm: update msg_namelen in vcc_recvmsg (rhbz 955216 955228)

 atm-update-msg_namelen-in-vcc_recvmsg.patch |   35 +++++++++++++++++++++++++++
 kernel.spec                                 |   11 +++++++-
 2 files changed, 45 insertions(+), 1 deletions(-)
---
diff --git a/atm-update-msg_namelen-in-vcc_recvmsg.patch b/atm-update-msg_namelen-in-vcc_recvmsg.patch
new file mode 100644
index 0000000..a22ef9c
--- /dev/null
+++ b/atm-update-msg_namelen-in-vcc_recvmsg.patch
@@ -0,0 +1,35 @@
+From 9b3e617f3df53822345a8573b6d358f6b9e5ed87 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:47 +0000
+Subject: [PATCH] atm: update msg_namelen in vcc_recvmsg()
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about vcc_recvmsg() not filling the msg_name in case it was set.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/atm/common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/atm/common.c b/net/atm/common.c
+index 7b49100..737bef5 100644
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -531,6 +531,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
+ 	struct sk_buff *skb;
+ 	int copied, error = -EINVAL;
+ 
++	msg->msg_namelen = 0;
++
+ 	if (sock->state != SS_CONNECTED)
+ 		return -ENOTCONN;
+ 
+-- 
+1.8.1.4
+
diff --git a/kernel.spec b/kernel.spec
index a4d6d13..fe363c9 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 202
+%global baserelease 203
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -799,6 +799,9 @@ Patch25011: iwlwifi-fix-freeing-uninitialized-pointer.patch
 #rhbz 947539
 Patch25013: md-raid1-10-Handle-REQ_WRITE_SAME-flag-in-write-bios.patch
 
+#CVE-2013-3222 rhbz 955216 955228
+Patch25014: atm-update-msg_namelen-in-vcc_recvmsg.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1548,6 +1551,9 @@ ApplyPatch iwlwifi-fix-freeing-uninitialized-pointer.patch
 #rhbz 947539
 ApplyPatch md-raid1-10-Handle-REQ_WRITE_SAME-flag-in-write-bios.patch
 
+#CVE-2013-3222 rhbz 955216 955228
+ApplyPatch atm-update-msg_namelen-in-vcc_recvmsg.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2405,6 +2411,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Mon Apr 22 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-3222 atm: update msg_namelen in vcc_recvmsg (rhbz 955216 955228)
+
 * Wed Apr 17 2013 Josh Boyer <jwboyer at redhat.com> - 3.8.8-202
 - Fix missing raid REQ_WRITE_SAME flag commit (rhbz 947539)