CVE-2013-2234 net: information leak in AF_KEY notify (rhbz 980995 981007)

This commit is contained in:
Josh Boyer 2013-07-03 15:36:22 -04:00
parent c2ff806e79
commit 60a8d4c543
2 changed files with 46 additions and 0 deletions

View File

@ -0,0 +1,37 @@
From a5cc68f3d63306d0d288f31edfc2ae6ef8ecd887 Mon Sep 17 00:00:00 2001
From: Mathias Krause <minipli@googlemail.com>
Date: Wed, 26 Jun 2013 21:52:30 +0000
Subject: af_key: fix info leaks in notify messages
key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
the sadb_msg_reserved member of the broadcasted message and thereby
leak 2 bytes of heap memory to listeners. Fix that.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
diff --git a/net/key/af_key.c b/net/key/af_key.c
index c5fbd75..9da8620 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1710,6 +1710,7 @@ static int key_notify_sa_flush(const struct km_event *c)
hdr->sadb_msg_version = PF_KEY_V2;
hdr->sadb_msg_errno = (uint8_t) 0;
hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
+ hdr->sadb_msg_reserved = 0;
pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
@@ -2699,6 +2700,7 @@ static int key_notify_policy_flush(const struct km_event *c)
hdr->sadb_msg_errno = (uint8_t) 0;
hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;
hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
+ hdr->sadb_msg_reserved = 0;
pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
return 0;
--
cgit v0.9.2

View File

@ -804,6 +804,9 @@ Patch25055: ath3k-dont-use-stack-memory-for-DMA.patch
Patch25056: iwl3945-better-skb-management-in-rx-path.patch
Patch25057: iwl4965-better-skb-management-in-rx-path.patch
#CVE-2013-2234 rhbz 980995 981007
Patch25058: af_key-fix-info-leaks-in-notify-messages.patch
# END OF PATCH DEFINITIONS
%endif
@ -1557,6 +1560,9 @@ ApplyPatch ath3k-dont-use-stack-memory-for-DMA.patch
ApplyPatch iwl3945-better-skb-management-in-rx-path.patch
ApplyPatch iwl4965-better-skb-management-in-rx-path.patch
#CVE-2013-2234 rhbz 980995 981007
ApplyPatch af_key-fix-info-leaks-in-notify-messages.patch
# END OF PATCH APPLICATIONS
%endif
@ -2373,6 +2379,9 @@ fi
# and build.
%changelog
* Wed Jul 03 2013 Josh Boyer <jwboyer@redhat.com>
- CVE-2013-2234 net: information leak in AF_KEY notify (rhbz 980995 981007)
* Wed Jul 03 2013 Justin M. Forbes <jforbes@redhat.com> 3.9.9-300
- Linux v3.9.9