CVE-2013-3222 atm: update msg_namelen in vcc_recvmsg (rhbz 955216 955228)
This commit is contained in:
Josh Boyer
parent
7be76a4225
commit
811fc75c6e
|
|
@ -0,0 +1,35 @@
|
|||
From 9b3e617f3df53822345a8573b6d358f6b9e5ed87 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:47 +0000
|
||||
Subject: [PATCH] atm: update msg_namelen in vcc_recvmsg()
|
||||
|
||||
The current code does not fill the msg_name member in case it is set.
|
||||
It also does not set the msg_namelen member to 0 and therefore makes
|
||||
net/socket.c leak the local, uninitialized sockaddr_storage variable
|
||||
to userland -- 128 bytes of kernel stack memory.
|
||||
|
||||
Fix that by simply setting msg_namelen to 0 as obviously nobody cared
|
||||
about vcc_recvmsg() not filling the msg_name in case it was set.
|
||||
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/atm/common.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/net/atm/common.c b/net/atm/common.c
|
||||
index 7b49100..737bef5 100644
|
||||
--- a/net/atm/common.c
|
||||
+++ b/net/atm/common.c
|
||||
@@ -531,6 +531,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
|
||||
struct sk_buff *skb;
|
||||
int copied, error = -EINVAL;
|
||||
|
||||
+ msg->msg_namelen = 0;
|
||||
+
|
||||
if (sock->state != SS_CONNECTED)
|
||||
return -ENOTCONN;
|
||||
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
11
kernel.spec
11
kernel.spec
|
|
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 202
|
||||
%global baserelease 203
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
|
@ -799,6 +799,9 @@ Patch25011: iwlwifi-fix-freeing-uninitialized-pointer.patch
|
|||
#rhbz 947539
|
||||
Patch25013: md-raid1-10-Handle-REQ_WRITE_SAME-flag-in-write-bios.patch
|
||||
|
||||
#CVE-2013-3222 rhbz 955216 955228
|
||||
Patch25014: atm-update-msg_namelen-in-vcc_recvmsg.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1548,6 +1551,9 @@ ApplyPatch iwlwifi-fix-freeing-uninitialized-pointer.patch
|
|||
#rhbz 947539
|
||||
ApplyPatch md-raid1-10-Handle-REQ_WRITE_SAME-flag-in-write-bios.patch
|
||||
|
||||
#CVE-2013-3222 rhbz 955216 955228
|
||||
ApplyPatch atm-update-msg_namelen-in-vcc_recvmsg.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2405,6 +2411,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Mon Apr 22 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-3222 atm: update msg_namelen in vcc_recvmsg (rhbz 955216 955228)
|
||||
|
||||
* Wed Apr 17 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.8-202
|
||||
- Fix missing raid REQ_WRITE_SAME flag commit (rhbz 947539)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue