[kernel/f20] CVE-2014-1446 hamradio/yam: information leak in ioctl (rhbz 1053620 1053647)

Josh Boyer jwboyer at fedoraproject.org
Wed Jan 15 15:08:34 UTC 2014 

commit 7f4eab3f852933ee2048728eb109d317a8d4ba24
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Wed Jan 15 10:08:25 2014 -0500

    CVE-2014-1446 hamradio/yam: information leak in ioctl (rhbz 1053620 1053647)

 hamradio-yam-fix-info-leak-in-ioctl.patch |   36 +++++++++++++++++++++++++++++
 kernel.spec                               |    7 +++++
 2 files changed, 43 insertions(+), 0 deletions(-)
---
diff --git a/hamradio-yam-fix-info-leak-in-ioctl.patch b/hamradio-yam-fix-info-leak-in-ioctl.patch
new file mode 100644
index 0000000..057acc5
--- /dev/null
+++ b/hamradio-yam-fix-info-leak-in-ioctl.patch
@@ -0,0 +1,36 @@
+Bugzilla: 1053647
+Upstream-status: 3.13 and 3.12.8
+
+From foo at baz Mon Jan 13 09:44:41 PST 2014
+From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speiro at ai2.upv.es>
+Date: Tue, 17 Dec 2013 10:06:30 +0100
+Subject: hamradio/yam: fix info leak in ioctl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Salva Peiró <speiro at ai2.upv.es>
+
+[ Upstream commit 8e3fbf870481eb53b2d3a322d1fc395ad8b367ed ]
+
+The yam_ioctl() code fails to initialise the cmd field
+of the struct yamdrv_ioctl_cfg. Add an explicit memset(0)
+before filling the structure to avoid the 4-byte info leak.
+
+Signed-off-by: Salva Peiró <speiro at ai2.upv.es>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/net/hamradio/yam.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/hamradio/yam.c
++++ b/drivers/net/hamradio/yam.c
+@@ -1057,6 +1057,7 @@ static int yam_ioctl(struct net_device *
+ 		break;
+ 
+ 	case SIOCYAMGCFG:
++		memset(&yi, 0, sizeof(yi));
+ 		yi.cfg.mask = 0xffffffff;
+ 		yi.cfg.iobase = yp->iobase;
+ 		yi.cfg.irq = yp->irq;
diff --git a/kernel.spec b/kernel.spec
index af5695c..c03107a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -763,6 +763,9 @@ Patch25183: ipv6-route-cache-expiration.patch
 #CVE-2014-1438 rhbz 1053599 1052914
 Patch25184: x86-fpu-amd-clear-exceptions-in-amd-fxsave-workaround.patch
 
+#CVE-2014-1446 rhbz 1053620 1053647
+Patch25185: hamradio-yam-fix-info-leak-in-ioctl.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1481,6 +1484,9 @@ ApplyPatch ipv6-route-cache-expiration.patch
 #CVE-2014-1438 rhbz 1053599 1052914
 ApplyPatch x86-fpu-amd-clear-exceptions-in-amd-fxsave-workaround.patch
 
+#CVE-2014-1446 rhbz 1053620 1053647
+ApplyPatch hamradio-yam-fix-info-leak-in-ioctl.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2284,6 +2290,7 @@ fi
 #                 ||     ||
 %changelog
 * Wed Jan 15 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-1446 hamradio/yam: information leak in ioctl (rhbz 1053620 1053647)
 - CVE-2014-1438 x86: exceptions are not cleared in AMD FXSAVE workaround (rhbz 1053599 1052914)
 
 * Tue Jan 14 2014 Josh Boyer <jwboyer at fedoraproject.org>

More information about the scm-commits mailing list