[kernel/f17] CVE-2013-3232 netrom: information leak via msg_name in nr_recvmsg (rhbz 956110 956113)

Josh Boyer jwboyer at fedoraproject.org
Wed Apr 24 12:47:28 UTC 2013 

commit f36a2157828a605cc9ab3a76014242f5d322767f
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Wed Apr 24 08:47:10 2013 -0400

    CVE-2013-3232 netrom: information leak via msg_name in nr_recvmsg (rhbz 956110 956113)

 kernel.spec                                        |    7 ++++
 ...m-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch |   35 ++++++++++++++++++++
 2 files changed, 42 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index d81387c..0c7fb9d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -807,6 +807,9 @@ Patch25020: rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
 #CVE-2013-3233 956125 956129
 Patch25021: NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch
 
+#CVE-2013-3232 956110 956113
+Patch25022: netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1572,6 +1575,9 @@ ApplyPatch rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
 #CVE-2013-3233 956125 956129
 ApplyPatch NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch
 
+#CVE-2013-3232 956110 956113
+ApplyPatch netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2429,6 +2435,7 @@ fi
 #              '-'
 %changelog
 * Wed Apr 24 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-3232 netrom: information leak via msg_name in nr_recvmsg (rhbz 956110 956113)
 - CVE-2013-3233 NFC: llcp: info leaks via msg_name in llcp_sock_recvmsg (rhbz 956125 956129)
 - CVE-2013-3234 rose: info leak via msg_name in rose_recvmsg (rhbz 956135 956139)
 - CVE-2013-3076 crypto: algif suppress sending src addr info in recvmsg (rhbz 956162 956168)
diff --git a/netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch b/netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
new file mode 100644
index 0000000..3881896
--- /dev/null
+++ b/netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
@@ -0,0 +1,35 @@
+From fdbf33caa22d6648227c39c48ae395fb36e4bd7f Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yongjun_wei at trendmicro.com.cn>
+Date: Tue, 9 Apr 2013 10:07:19 +0800
+Subject: [PATCH] netrom: fix invalid use of sizeof in nr_recvmsg()
+
+Upstream c802d759623acbd6e1ee9fbdabae89159a513913
+
+sizeof() when applied to a pointer typed expression gives the size of the
+pointer, not that of the pointed data.
+Introduced by commit 3ce5ef(netrom: fix info leak via msg_name in nr_recvmsg)
+
+Signed-off-by: Wei Yongjun <yongjun_wei at trendmicro.com.cn>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Conflicts:
+	net/netrom/af_netrom.c
+---
+ net/netrom/af_netrom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 7261eb8..f334fbd 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -1177,6 +1177,7 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	}
+ 
+ 	if (sax != NULL) {
++		memset(sax, 0, sizeof(*sax));
+ 		sax->sax25_family = AF_NETROM;
+ 		skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
+ 			      AX25_ADDR_LEN);
+-- 
+1.8.1.4
+

More information about the scm-commits mailing list