[kernel/f17] CVE-2013-3232 netrom: information leak via msg_name in nr_recvmsg (rhbz 956110 956113)
Josh Boyer
jwboyer at fedoraproject.org
Wed Apr 24 12:47:28 UTC 2013
commit f36a2157828a605cc9ab3a76014242f5d322767f
Author: Josh Boyer <jwboyer at redhat.com>
Date: Wed Apr 24 08:47:10 2013 -0400
CVE-2013-3232 netrom: information leak via msg_name in nr_recvmsg (rhbz 956110 956113)
kernel.spec | 7 ++++
...m-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch | 35 ++++++++++++++++++++
2 files changed, 42 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index d81387c..0c7fb9d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -807,6 +807,9 @@ Patch25020: rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
#CVE-2013-3233 956125 956129
Patch25021: NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch
+#CVE-2013-3232 956110 956113
+Patch25022: netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1572,6 +1575,9 @@ ApplyPatch rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
#CVE-2013-3233 956125 956129
ApplyPatch NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch
+#CVE-2013-3232 956110 956113
+ApplyPatch netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2429,6 +2435,7 @@ fi
# '-'
%changelog
* Wed Apr 24 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-3232 netrom: information leak via msg_name in nr_recvmsg (rhbz 956110 956113)
- CVE-2013-3233 NFC: llcp: info leaks via msg_name in llcp_sock_recvmsg (rhbz 956125 956129)
- CVE-2013-3234 rose: info leak via msg_name in rose_recvmsg (rhbz 956135 956139)
- CVE-2013-3076 crypto: algif suppress sending src addr info in recvmsg (rhbz 956162 956168)
diff --git a/netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch b/netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
new file mode 100644
index 0000000..3881896
--- /dev/null
+++ b/netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
@@ -0,0 +1,35 @@
+From fdbf33caa22d6648227c39c48ae395fb36e4bd7f Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yongjun_wei at trendmicro.com.cn>
+Date: Tue, 9 Apr 2013 10:07:19 +0800
+Subject: [PATCH] netrom: fix invalid use of sizeof in nr_recvmsg()
+
+Upstream c802d759623acbd6e1ee9fbdabae89159a513913
+
+sizeof() when applied to a pointer typed expression gives the size of the
+pointer, not that of the pointed data.
+Introduced by commit 3ce5ef(netrom: fix info leak via msg_name in nr_recvmsg)
+
+Signed-off-by: Wei Yongjun <yongjun_wei at trendmicro.com.cn>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Conflicts:
+ net/netrom/af_netrom.c
+---
+ net/netrom/af_netrom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 7261eb8..f334fbd 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -1177,6 +1177,7 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
+ }
+
+ if (sax != NULL) {
++ memset(sax, 0, sizeof(*sax));
+ sax->sax25_family = AF_NETROM;
+ skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
+ AX25_ADDR_LEN);
+--
+1.8.1.4
+
More information about the scm-commits
mailing list