[kernel/f18] CVE-2013-3234 rose: info leak via msg_name in rose_recvmsg (rhbz 956135 956139)
Josh Boyer
jwboyer at fedoraproject.org
Wed Apr 24 12:26:57 UTC 2013
commit eaa7646216e59d45c37980bb70f5bb330b790ca2
Author: Josh Boyer <jwboyer at redhat.com>
Date: Wed Apr 24 08:26:33 2013 -0400
CVE-2013-3234 rose: info leak via msg_name in rose_recvmsg (rhbz 956135 956139)
kernel.spec | 7 ++++
...ix-info-leak-via-msg_name-in-rose_recvmsg.patch | 36 ++++++++++++++++++++
2 files changed, 43 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 83c0d7c..5109dc7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -817,6 +817,9 @@ Patch25018: ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
#CVE-2013-3076 956162 956168
Patch25019: crypto-algif-suppress-sending-source-address-informa.patch
+#CVE-2013-3234 956135 956139
+Patch25020: rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1584,6 +1587,9 @@ ApplyPatch ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
#CVE-2013-3076 956162 956168
ApplyPatch crypto-algif-suppress-sending-source-address-informa.patch
+#CVE-2013-3234 956135 956139
+ApplyPatch rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2442,6 +2448,7 @@ fi
# || ||
%changelog
* Wed Apr 24 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-3234 rose: info leak via msg_name in rose_recvmsg (rhbz 956135 956139)
- CVE-2013-3076 crypto: algif suppress sending src addr info in recvmsg (rhbz 956162 956168)
* Tue Apr 23 2013 Josh Boyer <jwboyer at redhat.com>
diff --git a/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch b/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
new file mode 100644
index 0000000..81f423f
--- /dev/null
+++ b/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
@@ -0,0 +1,36 @@
+From 4a184233f21645cf0b719366210ed445d1024d72 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:59 +0000
+Subject: [PATCH] rose: fix info leak via msg_name in rose_recvmsg()
+
+The code in rose_recvmsg() does not initialize all of the members of
+struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
+Nor does it initialize the padding bytes of the structure inserted by
+the compiler for alignment. This will lead to leaking uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix the issue by initializing the memory used for sockaddr info with
+memset(0).
+
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/rose/af_rose.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index cf68e6e..9c83474 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1253,6 +1253,7 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
+ skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+
+ if (srose != NULL) {
++ memset(srose, 0, msg->msg_namelen);
+ srose->srose_family = AF_ROSE;
+ srose->srose_addr = rose->dest_addr;
+ srose->srose_call = rose->dest_call;
+--
+1.8.1.4
+
More information about the scm-commits
mailing list