CVE-2013-3233 NFC: llcp: info leaks via msg_name in llcp_sock_recvmsg (rhbz 956125 956129)
This commit is contained in:
Josh Boyer
parent
eaa7646216
commit
8499d94486
|
|
@ -0,0 +1,61 @@
|
|||
From 4a3ad999af6c1b9a872fb70f19842784779383ee Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:58 +0000
|
||||
Subject: [PATCH] NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()
|
||||
|
||||
Upstream d26d6504f23e803824e8ebd14e52d4fc0a0b09cb
|
||||
|
||||
The code in llcp_sock_recvmsg() does not initialize all the members of
|
||||
struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it
|
||||
initialize the padding bytes of the structure inserted by the compiler
|
||||
for alignment.
|
||||
|
||||
Also, if the socket is in state LLCP_CLOSED or is shutting down during
|
||||
receive the msg_namelen member is not updated to 0 while otherwise
|
||||
returning with 0, i.e. "success". The msg_namelen update is also
|
||||
missing for stream and seqpacket sockets which don't fill the sockaddr
|
||||
info.
|
||||
|
||||
Both issues lead to the fact that the code will leak uninitialized
|
||||
kernel stack bytes in net/socket.c.
|
||||
|
||||
Fix the first issue by initializing the memory used for sockaddr info
|
||||
with memset(0). Fix the second one by setting msg_namelen to 0 early.
|
||||
It will be updated later if we're going to fill the msg_name member.
|
||||
|
||||
Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
|
||||
Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
|
||||
Cc: Samuel Ortiz <sameo@linux.intel.com>
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
|
||||
Conflicts:
|
||||
net/nfc/llcp/sock.c
|
||||
---
|
||||
net/nfc/llcp/sock.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
|
||||
index fea22eb..48fb1de 100644
|
||||
--- a/net/nfc/llcp/sock.c
|
||||
+++ b/net/nfc/llcp/sock.c
|
||||
@@ -644,6 +644,8 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
|
||||
pr_debug("%p %zu\n", sk, len);
|
||||
|
||||
+ msg->msg_namelen = 0;
|
||||
+
|
||||
lock_sock(sk);
|
||||
|
||||
if (sk->sk_state == LLCP_CLOSED &&
|
||||
@@ -684,6 +686,7 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
|
||||
pr_debug("Datagram socket %d %d\n", ui_cb->dsap, ui_cb->ssap);
|
||||
|
||||
+ memset(&sockaddr, 0, sizeof(sockaddr));
|
||||
sockaddr.sa_family = AF_NFC;
|
||||
sockaddr.nfc_protocol = NFC_PROTO_NFC_DEP;
|
||||
sockaddr.dsap = ui_cb->dsap;
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
|
@ -820,6 +820,9 @@ Patch25019: crypto-algif-suppress-sending-source-address-informa.patch
|
|||
#CVE-2013-3234 956135 956139
|
||||
Patch25020: rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
|
||||
|
||||
#CVE-2013-3233 956125 956129
|
||||
Patch25021: NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1590,6 +1593,9 @@ ApplyPatch crypto-algif-suppress-sending-source-address-informa.patch
|
|||
#CVE-2013-3234 956135 956139
|
||||
ApplyPatch rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
|
||||
|
||||
#CVE-2013-3233 956125 956129
|
||||
ApplyPatch NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2448,6 +2454,7 @@ fi
|
|||
# || ||
|
||||
%changelog
|
||||
* Wed Apr 24 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-3233 NFC: llcp: info leaks via msg_name in llcp_sock_recvmsg (rhbz 956125 956129)
|
||||
- CVE-2013-3234 rose: info leak via msg_name in rose_recvmsg (rhbz 956135 956139)
|
||||
- CVE-2013-3076 crypto: algif suppress sending src addr info in recvmsg (rhbz 956162 956168)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue