CVE-2013-3223 ax25: information leak via msg_name in ax25_recvmsg (rhbz 955662 955666)
This commit is contained in:
Josh Boyer
parent
2d3286ee13
commit
4a7e4a4d41
|
|
@ -0,0 +1,38 @@
|
|||
From ef3313e84acbf349caecae942ab3ab731471f1a1 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:48 +0000
|
||||
Subject: [PATCH] ax25: fix info leak via msg_name in ax25_recvmsg()
|
||||
|
||||
When msg_namelen is non-zero the sockaddr info gets filled out, as
|
||||
requested, but the code fails to initialize the padding bytes of struct
|
||||
sockaddr_ax25 inserted by the compiler for alignment. Additionally the
|
||||
msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
|
||||
not always filled up to this size.
|
||||
|
||||
Both issues lead to the fact that the code will leak uninitialized
|
||||
kernel stack bytes in net/socket.c.
|
||||
|
||||
Fix both issues by initializing the memory with memset(0).
|
||||
|
||||
Cc: Ralf Baechle <ralf@linux-mips.org>
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ax25/af_ax25.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
|
||||
index 7b11f8b..e277e38 100644
|
||||
--- a/net/ax25/af_ax25.c
|
||||
+++ b/net/ax25/af_ax25.c
|
||||
@@ -1642,6 +1642,7 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
ax25_address src;
|
||||
const unsigned char *mac = skb_mac_header(skb);
|
||||
|
||||
+ memset(sax, 0, sizeof(struct full_sockaddr_ax25));
|
||||
ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
|
||||
&digi, NULL, NULL);
|
||||
sax->sax25_family = AF_AX25;
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
|
@ -795,6 +795,9 @@ Patch25016: net-fix-incorrect-credentials-passing.patch
|
|||
#CVE-2013-3225 rhbz 955649 955658
|
||||
Patch25017: Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
|
||||
|
||||
#CVE-2013-3223 rhbz 955662 955666
|
||||
Patch25018: ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1548,6 +1551,9 @@ ApplyPatch net-fix-incorrect-credentials-passing.patch
|
|||
#CVE-2013-3225 rhbz 955649 955658
|
||||
ApplyPatch Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
|
||||
|
||||
#CVE-2013-3223 rhbz 955662 955666
|
||||
ApplyPatch ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2405,6 +2411,7 @@ fi
|
|||
# '-'
|
||||
%changelog
|
||||
* Tue Apr 23 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-3223 ax25: information leak via msg_name in ax25_recvmsg (rhbz 955662 955666)
|
||||
- CVE-2013-3225 Bluetooth: RFCOMM missing msg_namelen update in rfcomm_sock_recvmsg (rhbz 955649 955658)
|
||||
- CVE-2013-1979 net: incorrect SCM_CREDENTIALS passing (rhbz 955629 955647)
|
||||
- CVE-2013-3224 Bluetooth: possible info leak in bt_sock_recvmsg (rhbz 955599 955607)
|
||||
|
|
|
|||
Loading…
Reference in New Issue