CVE-2013-3225 Bluetooth: RFCOMM missing msg_namelen update in rfcomm_sock_recvmsg (rhbz 955649 955658)
This commit is contained in:
parent
66a9977428
commit
8addbb8acf
|
@ -0,0 +1,37 @@
|
|||
From e11e0455c0d7d3d62276a0c55d9dfbc16779d691 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:50 +0000
|
||||
Subject: [PATCH] Bluetooth: RFCOMM - Fix missing msg_namelen update in
|
||||
rfcomm_sock_recvmsg()
|
||||
|
||||
If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
|
||||
early with 0 without updating the possibly set msg_namelen member. This,
|
||||
in turn, leads to a 128 byte kernel stack leak in net/socket.c.
|
||||
|
||||
Fix this by updating msg_namelen in this case. For all other cases it
|
||||
will be handled in bt_sock_stream_recvmsg().
|
||||
|
||||
Cc: Marcel Holtmann <marcel@holtmann.org>
|
||||
Cc: Gustavo Padovan <gustavo@padovan.org>
|
||||
Cc: Johan Hedberg <johan.hedberg@gmail.com>
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/bluetooth/rfcomm/sock.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
|
||||
index c23bae8..7c9224b 100644
|
||||
--- a/net/bluetooth/rfcomm/sock.c
|
||||
+++ b/net/bluetooth/rfcomm/sock.c
|
||||
@@ -608,6 +608,7 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
|
||||
if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
|
||||
rfcomm_dlc_accept(d);
|
||||
+ msg->msg_namelen = 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
1.8.1.4
|
||||
|
|
@ -808,6 +808,9 @@ Patch25015: Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
|
|||
#CVE-2013-1979 rhbz 955629 955647
|
||||
Patch25016: net-fix-incorrect-credentials-passing.patch
|
||||
|
||||
#CVE-2013-3225 rhbz 955649 955658
|
||||
Patch25017: Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1566,6 +1569,9 @@ ApplyPatch Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
|
|||
#CVE-2013-1979 rhbz 955629 955647
|
||||
ApplyPatch net-fix-incorrect-credentials-passing.patch
|
||||
|
||||
#CVE-2013-3225 rhbz 955649 955658
|
||||
ApplyPatch Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2424,6 +2430,7 @@ fi
|
|||
# || ||
|
||||
%changelog
|
||||
* Tue Apr 23 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-3225 Bluetooth: RFCOMM missing msg_namelen update in rfcomm_sock_recvmsg (rhbz 955649 955658)
|
||||
- CVE-2013-1979 net: incorrect SCM_CREDENTIALS passing (rhbz 955629 955647)
|
||||
- CVE-2013-3224 Bluetooth: possible info leak in bt_sock_recvmsg (rhbz 955599 955607)
|
||||
|
||||
|
|
Loading…
Reference in New Issue