[kernel/f17] CVE-2013-3225 Bluetooth: RFCOMM missing msg_namelen update in rfcomm_sock_recvmsg (rhbz 955649 95565

[Josh Boyer]

commit 2d3286ee13107fcd3b140087ca70c2faefab9400
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Tue Apr 23 09:31:51 2013 -0400

    CVE-2013-3225 Bluetooth: RFCOMM missing msg_namelen update in rfcomm_sock_recvmsg (rhbz 955649 955658)

 ...FCOMM-Fix-missing-msg_namelen-update-in-r.patch |   37 ++++++++++++++++++++
 kernel.spec                                        |    7 ++++
 2 files changed, 44 insertions(+), 0 deletions(-)
---
diff --git a/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch b/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
new file mode 100644
index 0000000..a4db050
--- /dev/null
+++ b/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
@@ -0,0 +1,37 @@
+From e11e0455c0d7d3d62276a0c55d9dfbc16779d691 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:50 +0000
+Subject: [PATCH] Bluetooth: RFCOMM - Fix missing msg_namelen update in
+ rfcomm_sock_recvmsg()
+
+If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
+early with 0 without updating the possibly set msg_namelen member. This,
+in turn, leads to a 128 byte kernel stack leak in net/socket.c.
+
+Fix this by updating msg_namelen in this case. For all other cases it
+will be handled in bt_sock_stream_recvmsg().
+
+Cc: Marcel Holtmann <marcel at holtmann.org>
+Cc: Gustavo Padovan <gustavo at padovan.org>
+Cc: Johan Hedberg <johan.hedberg at gmail.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/bluetooth/rfcomm/sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index c23bae8..7c9224b 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -608,6 +608,7 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 
+ 	if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
+ 		rfcomm_dlc_accept(d);
++		msg->msg_namelen = 0;
+ 		return 0;
+ 	}
+ 
+-- 
+1.8.1.4
+
diff --git a/kernel.spec b/kernel.spec
index b965f06..be181ed 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -792,6 +792,9 @@ Patch25015: Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
 #CVE-2013-1979 rhbz 955629 955647
 Patch25016: net-fix-incorrect-credentials-passing.patch
 
+#CVE-2013-3225 rhbz 955649 955658
+Patch25017: Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1542,6 +1545,9 @@ ApplyPatch Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
 #CVE-2013-1979 rhbz 955629 955647
 ApplyPatch net-fix-incorrect-credentials-passing.patch
 
+#CVE-2013-3225 rhbz 955649 955658
+ApplyPatch Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2399,6 +2405,7 @@ fi
 #              '-'
 %changelog
 * Tue Apr 23 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-3225 Bluetooth: RFCOMM missing msg_namelen update in rfcomm_sock_recvmsg (rhbz 955649 955658)
 - CVE-2013-1979 net: incorrect SCM_CREDENTIALS passing (rhbz 955629 955647)
 - CVE-2013-3224 Bluetooth: possible info leak in bt_sock_recvmsg (rhbz 955599 955607)