[kernel/f17] CVE-2013-3228 irda: missing msg_namelen update in irda_recvmsg_dgram (rhbz 956069 956071)
Josh Boyer
jwboyer at fedoraproject.org
Wed Apr 24 12:55:39 UTC 2013
commit b92e84a3a847a9eb0d1a8623f8fe227aeb5a3499
Author: Josh Boyer <jwboyer at redhat.com>
Date: Wed Apr 24 08:55:18 2013 -0400
CVE-2013-3228 irda: missing msg_namelen update in irda_recvmsg_dgram (rhbz 956069 956071)
...ssing-msg_namelen-update-in-irda_recvmsg_.patch | 37 ++++++++++++++++++++
kernel.spec | 7 ++++
2 files changed, 44 insertions(+), 0 deletions(-)
---
diff --git a/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch b/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
new file mode 100644
index 0000000..074d2b4
--- /dev/null
+++ b/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
@@ -0,0 +1,37 @@
+From 5ae94c0d2f0bed41d6718be743985d61b7f5c47d Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:53 +0000
+Subject: [PATCH] irda: Fix missing msg_namelen update in irda_recvmsg_dgram()
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about irda_recvmsg_dgram() not filling the msg_name in case it was
+set.
+
+Cc: Samuel Ortiz <samuel at sortiz.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/irda/af_irda.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index d28e7f0..e493b33 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1386,6 +1386,8 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock,
+
+ IRDA_DEBUG(4, "%s()\n", __func__);
+
++ msg->msg_namelen = 0;
++
+ skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ flags & MSG_DONTWAIT, &err);
+ if (!skb)
+--
+1.8.1.4
+
diff --git a/kernel.spec b/kernel.spec
index 37fe0f8..f267616 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -816,6 +816,9 @@ Patch25023: llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
#CVE-2013-3230 956088 956089
Patch25024: l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
+#CVE-2013-3228 956069 956071
+Patch25025: irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1590,6 +1593,9 @@ ApplyPatch llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
#CVE-2013-3230 956088 956089
ApplyPatch l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
+#CVE-2013-3228 956069 956071
+ApplyPatch irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2447,6 +2453,7 @@ fi
# '-'
%changelog
* Wed Apr 24 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-3228 irda: missing msg_namelen update in irda_recvmsg_dgram (rhbz 956069 956071)
- CVE-2013-3230 l2tp: info leak in l2tp_ip6_recvmsg (rhbz 956088 956089)
- CVE-2013-3231 llc: Fix missing msg_namelen update in llc_ui_recvmsg (rhbz 956094 956104)
- CVE-2013-3232 netrom: information leak via msg_name in nr_recvmsg (rhbz 956110 956113)
More information about the scm-commits
mailing list