[kernel/f17] CVE-2013-3233 NFC: llcp: info leaks via msg_name in llcp_sock_recvmsg (rhbz 956125 956129)

Josh Boyer jwboyer at fedoraproject.org
Wed Apr 24 12:35:21 UTC 2013 

commit 0ebd5978329450266da0de6ea1560ade55df873b
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Wed Apr 24 08:34:57 2013 -0400

    CVE-2013-3233 NFC: llcp: info leaks via msg_name in llcp_sock_recvmsg (rhbz 956125 956129)

 ...x-info-leaks-via-msg_name-in-llcp_sock_re.patch |   61 ++++++++++++++++++++
 kernel.spec                                        |    7 ++
 2 files changed, 68 insertions(+), 0 deletions(-)
---
diff --git a/NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch b/NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch
new file mode 100644
index 0000000..e518cca
--- /dev/null
+++ b/NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch
@@ -0,0 +1,61 @@
+From 4a3ad999af6c1b9a872fb70f19842784779383ee Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:58 +0000
+Subject: [PATCH] NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()
+
+Upstream d26d6504f23e803824e8ebd14e52d4fc0a0b09cb
+
+The code in llcp_sock_recvmsg() does not initialize all the members of
+struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it
+initialize the padding bytes of the structure inserted by the compiler
+for alignment.
+
+Also, if the socket is in state LLCP_CLOSED or is shutting down during
+receive the msg_namelen member is not updated to 0 while otherwise
+returning with 0, i.e. "success". The msg_namelen update is also
+missing for stream and seqpacket sockets which don't fill the sockaddr
+info.
+
+Both issues lead to the fact that the code will leak uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix the first issue by initializing the memory used for sockaddr info
+with memset(0). Fix the second one by setting msg_namelen to 0 early.
+It will be updated later if we're going to fill the msg_name member.
+
+Cc: Lauro Ramos Venancio <lauro.venancio at openbossa.org>
+Cc: Aloisio Almeida Jr <aloisio.almeida at openbossa.org>
+Cc: Samuel Ortiz <sameo at linux.intel.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Conflicts:
+	net/nfc/llcp/sock.c
+---
+ net/nfc/llcp/sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
+index fea22eb..48fb1de 100644
+--- a/net/nfc/llcp/sock.c
++++ b/net/nfc/llcp/sock.c
+@@ -644,6 +644,8 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 
+ 	pr_debug("%p %zu\n", sk, len);
+ 
++	msg->msg_namelen = 0;
++
+ 	lock_sock(sk);
+ 
+ 	if (sk->sk_state == LLCP_CLOSED &&
+@@ -684,6 +686,7 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 
+ 		pr_debug("Datagram socket %d %d\n", ui_cb->dsap, ui_cb->ssap);
+ 
++		memset(&sockaddr, 0, sizeof(sockaddr));
+ 		sockaddr.sa_family = AF_NFC;
+ 		sockaddr.nfc_protocol = NFC_PROTO_NFC_DEP;
+ 		sockaddr.dsap = ui_cb->dsap;
+-- 
+1.8.1.4
+
diff --git a/kernel.spec b/kernel.spec
index 83cc56f..d81387c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -804,6 +804,9 @@ Patch25019: crypto-algif-suppress-sending-source-address-informa.patch
 #CVE-2013-3234 956135 956139
 Patch25020: rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
 
+#CVE-2013-3233 956125 956129
+Patch25021: NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1566,6 +1569,9 @@ ApplyPatch crypto-algif-suppress-sending-source-address-informa.patch
 #CVE-2013-3234 956135 956139
 ApplyPatch rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
 
+#CVE-2013-3233 956125 956129
+ApplyPatch NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2423,6 +2429,7 @@ fi
 #              '-'
 %changelog
 * Wed Apr 24 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-3233 NFC: llcp: info leaks via msg_name in llcp_sock_recvmsg (rhbz 956125 956129)
 - CVE-2013-3234 rose: info leak via msg_name in rose_recvmsg (rhbz 956135 956139)
 - CVE-2013-3076 crypto: algif suppress sending src addr info in recvmsg (rhbz 956162 956168)

More information about the scm-commits mailing list