[kernel/f17] CVE-2013-3223 ax25: information leak via msg_name in ax25_recvmsg (rhbz 955662 955666)

Josh Boyer jwboyer at fedoraproject.org
Tue Apr 23 13:44:59 UTC 2013 

commit 4a7e4a4d415c7434f52f6bd5f7ad9da06aa7205a
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Tue Apr 23 09:44:42 2013 -0400

    CVE-2013-3223 ax25: information leak via msg_name in ax25_recvmsg (rhbz 955662 955666)

 ...ix-info-leak-via-msg_name-in-ax25_recvmsg.patch |   38 ++++++++++++++++++++
 kernel.spec                                        |    7 ++++
 2 files changed, 45 insertions(+), 0 deletions(-)
---
diff --git a/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch b/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
new file mode 100644
index 0000000..818e2d9
--- /dev/null
+++ b/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
@@ -0,0 +1,38 @@
+From ef3313e84acbf349caecae942ab3ab731471f1a1 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:48 +0000
+Subject: [PATCH] ax25: fix info leak via msg_name in ax25_recvmsg()
+
+When msg_namelen is non-zero the sockaddr info gets filled out, as
+requested, but the code fails to initialize the padding bytes of struct
+sockaddr_ax25 inserted by the compiler for alignment. Additionally the
+msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
+not always filled up to this size.
+
+Both issues lead to the fact that the code will leak uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix both issues by initializing the memory with memset(0).
+
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ax25/af_ax25.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index 7b11f8b..e277e38 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1642,6 +1642,7 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 		ax25_address src;
+ 		const unsigned char *mac = skb_mac_header(skb);
+ 
++		memset(sax, 0, sizeof(struct full_sockaddr_ax25));
+ 		ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
+ 				&digi, NULL, NULL);
+ 		sax->sax25_family = AF_AX25;
+-- 
+1.8.1.4
+
diff --git a/kernel.spec b/kernel.spec
index be181ed..072773c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -795,6 +795,9 @@ Patch25016: net-fix-incorrect-credentials-passing.patch
 #CVE-2013-3225 rhbz 955649 955658
 Patch25017: Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
 
+#CVE-2013-3223 rhbz 955662 955666
+Patch25018: ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1548,6 +1551,9 @@ ApplyPatch net-fix-incorrect-credentials-passing.patch
 #CVE-2013-3225 rhbz 955649 955658
 ApplyPatch Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
 
+#CVE-2013-3223 rhbz 955662 955666
+ApplyPatch ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2405,6 +2411,7 @@ fi
 #              '-'
 %changelog
 * Tue Apr 23 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-3223 ax25: information leak via msg_name in ax25_recvmsg (rhbz 955662 955666)
 - CVE-2013-3225 Bluetooth: RFCOMM missing msg_namelen update in rfcomm_sock_recvmsg (rhbz 955649 955658)
 - CVE-2013-1979 net: incorrect SCM_CREDENTIALS passing (rhbz 955629 955647)
 - CVE-2013-3224 Bluetooth: possible info leak in bt_sock_recvmsg (rhbz 955599 955607)

More information about the scm-commits mailing list