CVE-2016-4486 CVE-2016-4485 info leaks (rhbz 1333316 1333309 1333321)

This commit is contained in:
Josh Boyer 2016-05-05 08:45:43 -04:00
parent ba418dcee2
commit a26d52b3e9
3 changed files with 89 additions and 0 deletions

View File

@ -623,6 +623,10 @@ Patch703: mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
#CVE-2016-4482 rhbz 1332931 1332932
Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
#CVE-2016-4486 CVE-2016-4485 rhbz 1333316 1333309 1333321
Patch707: net-fix-infoleak-in-llc.patch
Patch708: net-fix-infoleak-in-rtnetlink.patch
# END OF PATCH DEFINITIONS
%endif
@ -2148,6 +2152,9 @@ fi
#
#
%changelog
* Thu May 05 2016 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2016-4486 CVE-2016-4485 info leaks (rhbz 1333316 1333309 1333321)
* Wed May 04 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc6.git2.1
- Linux v4.6-rc6-113-g83858a701cf3
- Enable NFC_NXP_NCI options (rhbz 1290556)

View File

@ -0,0 +1,32 @@
From ec0de35ded8c4a8588290a1b442aa3aa4bdf4de1 Mon Sep 17 00:00:00 2001
From: Kangjie Lu <kangjielu@gmail.com>
Date: Tue, 3 May 2016 16:35:05 -0400
Subject: [PATCH 2/2] net: fix infoleak in llc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The stack object “info” has a total size of 12 bytes. Its last byte
is padding which is not initialized and leaked via “put_cmsg”.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/llc/af_llc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index b3c52e3f689a..8ae3ed97d95c 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb)
if (llc->cmsg_flags & LLC_CMSG_PKTINFO) {
struct llc_pktinfo info;
+ memset(&info, 0, sizeof(info));
info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex;
llc_pdu_decode_dsap(skb, &info.lpi_sap);
llc_pdu_decode_da(skb, info.lpi_mac);
--
2.5.5

View File

@ -0,0 +1,50 @@
From 55a8a812d867ec9953bde7d86eef255a1abbf93e Mon Sep 17 00:00:00 2001
From: Kangjie Lu <kangjielu@gmail.com>
Date: Tue, 3 May 2016 16:46:24 -0400
Subject: [PATCH 1/2] net: fix infoleak in rtnetlink
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The stack object “map” has a total size of 32 bytes. Its last 4
bytes are padding generated by compiler. These padding bytes are
not initialized and sent out via “nla_put”.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/core/rtnetlink.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index a75f7e94b445..65763c29f845 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1180,14 +1180,16 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb,
static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev)
{
- struct rtnl_link_ifmap map = {
- .mem_start = dev->mem_start,
- .mem_end = dev->mem_end,
- .base_addr = dev->base_addr,
- .irq = dev->irq,
- .dma = dev->dma,
- .port = dev->if_port,
- };
+ struct rtnl_link_ifmap map;
+
+ memset(&map, 0, sizeof(map));
+ map.mem_start = dev->mem_start;
+ map.mem_end = dev->mem_end;
+ map.base_addr = dev->base_addr;
+ map.irq = dev->irq;
+ map.dma = dev->dma;
+ map.port = dev->if_port;
+
if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
return -EMSGSIZE;
--
2.5.5