[kernel/f18] CVE-2013-3076 crypto: algif suppress sending src addr info in recvmsg (rhbz 956162 956168)

[Josh Boyer]

commit d698a1000aec362787733e1d19655f9ee3f0294b
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Wed Apr 24 08:23:22 2013 -0400

    CVE-2013-3076 crypto: algif suppress sending src addr info in recvmsg (rhbz 956162 956168)

 ...f-suppress-sending-source-address-informa.patch |   46 ++++++++++++++++++++
 kernel.spec                                        |   11 ++++-
 2 files changed, 56 insertions(+), 1 deletions(-)
---
diff --git a/crypto-algif-suppress-sending-source-address-informa.patch b/crypto-algif-suppress-sending-source-address-informa.patch
new file mode 100644
index 0000000..3484c25
--- /dev/null
+++ b/crypto-algif-suppress-sending-source-address-informa.patch
@@ -0,0 +1,46 @@
+From 72a763d805a48ac8c0bf48fdb510e84c12de51fe Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 14:05:39 +0200
+Subject: [PATCH] crypto: algif - suppress sending source address information
+ in recvmsg
+
+The current code does not set the msg_namelen member to 0 and therefore
+makes net/socket.c leak the local sockaddr_storage variable to userland
+-- 128 bytes of kernel stack memory. Fix that.
+
+Cc: <stable at vger.kernel.org> # 2.6.38
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+---
+ crypto/algif_hash.c     | 2 ++
+ crypto/algif_skcipher.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
+index ef5356c..0262210 100644
+--- a/crypto/algif_hash.c
++++ b/crypto/algif_hash.c
+@@ -161,6 +161,8 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock,
+ 	else if (len < ds)
+ 		msg->msg_flags |= MSG_TRUNC;
+ 
++	msg->msg_namelen = 0;
++
+ 	lock_sock(sk);
+ 	if (ctx->more) {
+ 		ctx->more = 0;
+diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
+index 6a6dfc0..a1c4f0a 100644
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -432,6 +432,7 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock,
+ 	long copied = 0;
+ 
+ 	lock_sock(sk);
++	msg->msg_namelen = 0;
+ 	for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
+ 	     iovlen--, iov++) {
+ 		unsigned long seglen = iov->iov_len;
+-- 
+1.8.1.4
+
diff --git a/kernel.spec b/kernel.spec
index 2578948..83c0d7c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -814,6 +814,9 @@ Patch25017: Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
 #CVE-2013-3223 rhbz 955662 955666
 Patch25018: ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
 
+#CVE-2013-3076 956162 956168
+Patch25019: crypto-algif-suppress-sending-source-address-informa.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1578,6 +1581,9 @@ ApplyPatch Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
 #CVE-2013-3223 rhbz 955662 955666
 ApplyPatch ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
 
+#CVE-2013-3076 956162 956168
+ApplyPatch crypto-algif-suppress-sending-source-address-informa.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2435,7 +2441,10 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
-* Tue Apr 23 2013 Josh Boyer <jwboyer at redhat.com> - 3.8.8-203
+* Wed Apr 24 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-3076 crypto: algif suppress sending src addr info in recvmsg (rhbz 956162 956168)
+
+* Tue Apr 23 2013 Josh Boyer <jwboyer at redhat.com>
 - CVE-2013-3223 ax25: information leak via msg_name in ax25_recvmsg (rhbz 955662 955666)
 - CVE-2013-3225 Bluetooth: RFCOMM missing msg_namelen update in rfcomm_sock_recvmsg (rhbz 955649 955658)
 - CVE-2013-1979 net: incorrect SCM_CREDENTIALS passing (rhbz 955629 955647)