[kernel/f18] CVE-2013-3234 rose: info leak via msg_name in rose_recvmsg (rhbz 956135 956139)

Josh Boyer jwboyer at fedoraproject.org
Wed Apr 24 12:26:57 UTC 2013 

commit eaa7646216e59d45c37980bb70f5bb330b790ca2
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Wed Apr 24 08:26:33 2013 -0400

    CVE-2013-3234 rose: info leak via msg_name in rose_recvmsg (rhbz 956135 956139)

 kernel.spec                                        |    7 ++++
 ...ix-info-leak-via-msg_name-in-rose_recvmsg.patch |   36 ++++++++++++++++++++
 2 files changed, 43 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 83c0d7c..5109dc7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -817,6 +817,9 @@ Patch25018: ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
 #CVE-2013-3076 956162 956168
 Patch25019: crypto-algif-suppress-sending-source-address-informa.patch
 
+#CVE-2013-3234 956135 956139
+Patch25020: rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1584,6 +1587,9 @@ ApplyPatch ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
 #CVE-2013-3076 956162 956168
 ApplyPatch crypto-algif-suppress-sending-source-address-informa.patch
 
+#CVE-2013-3234 956135 956139
+ApplyPatch rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2442,6 +2448,7 @@ fi
 #                 ||     ||
 %changelog
 * Wed Apr 24 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-3234 rose: info leak via msg_name in rose_recvmsg (rhbz 956135 956139)
 - CVE-2013-3076 crypto: algif suppress sending src addr info in recvmsg (rhbz 956162 956168)
 
 * Tue Apr 23 2013 Josh Boyer <jwboyer at redhat.com>
diff --git a/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch b/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
new file mode 100644
index 0000000..81f423f
--- /dev/null
+++ b/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
@@ -0,0 +1,36 @@
+From 4a184233f21645cf0b719366210ed445d1024d72 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:59 +0000
+Subject: [PATCH] rose: fix info leak via msg_name in rose_recvmsg()
+
+The code in rose_recvmsg() does not initialize all of the members of
+struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
+Nor does it initialize the padding bytes of the structure inserted by
+the compiler for alignment. This will lead to leaking uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix the issue by initializing the memory used for sockaddr info with
+memset(0).
+
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/rose/af_rose.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index cf68e6e..9c83474 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1253,6 +1253,7 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+ 
+ 	if (srose != NULL) {
++		memset(srose, 0, msg->msg_namelen);
+ 		srose->srose_family = AF_ROSE;
+ 		srose->srose_addr   = rose->dest_addr;
+ 		srose->srose_call   = rose->dest_call;
+-- 
+1.8.1.4
+

More information about the scm-commits mailing list