Linux v3.8.11
This commit is contained in:
Justin M. Forbes
parent
53d61ba1b1
commit
a7a3b25626
|
|
@ -1,37 +0,0 @@
|
|||
From e11e0455c0d7d3d62276a0c55d9dfbc16779d691 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:50 +0000
|
||||
Subject: [PATCH] Bluetooth: RFCOMM - Fix missing msg_namelen update in
|
||||
rfcomm_sock_recvmsg()
|
||||
|
||||
If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
|
||||
early with 0 without updating the possibly set msg_namelen member. This,
|
||||
in turn, leads to a 128 byte kernel stack leak in net/socket.c.
|
||||
|
||||
Fix this by updating msg_namelen in this case. For all other cases it
|
||||
will be handled in bt_sock_stream_recvmsg().
|
||||
|
||||
Cc: Marcel Holtmann <marcel@holtmann.org>
|
||||
Cc: Gustavo Padovan <gustavo@padovan.org>
|
||||
Cc: Johan Hedberg <johan.hedberg@gmail.com>
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/bluetooth/rfcomm/sock.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
|
||||
index c23bae8..7c9224b 100644
|
||||
--- a/net/bluetooth/rfcomm/sock.c
|
||||
+++ b/net/bluetooth/rfcomm/sock.c
|
||||
@@ -608,6 +608,7 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
|
||||
if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
|
||||
rfcomm_dlc_accept(d);
|
||||
+ msg->msg_namelen = 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
|
@ -1,47 +0,0 @@
|
|||
From 4683f42fde3977bdb4e8a09622788cc8b5313778 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:49 +0000
|
||||
Subject: [PATCH] Bluetooth: fix possible info leak in bt_sock_recvmsg()
|
||||
|
||||
In case the socket is already shutting down, bt_sock_recvmsg() returns
|
||||
with 0 without updating msg_namelen leading to net/socket.c leaking the
|
||||
local, uninitialized sockaddr_storage variable to userland -- 128 bytes
|
||||
of kernel stack memory.
|
||||
|
||||
Fix this by moving the msg_namelen assignment in front of the shutdown
|
||||
test.
|
||||
|
||||
Cc: Marcel Holtmann <marcel@holtmann.org>
|
||||
Cc: Gustavo Padovan <gustavo@padovan.org>
|
||||
Cc: Johan Hedberg <johan.hedberg@gmail.com>
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/bluetooth/af_bluetooth.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
|
||||
index d3ee69b..0d1b08c 100644
|
||||
--- a/net/bluetooth/af_bluetooth.c
|
||||
+++ b/net/bluetooth/af_bluetooth.c
|
||||
@@ -230,6 +230,8 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
if (flags & (MSG_OOB))
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
+ msg->msg_namelen = 0;
|
||||
+
|
||||
skb = skb_recv_datagram(sk, flags, noblock, &err);
|
||||
if (!skb) {
|
||||
if (sk->sk_shutdown & RCV_SHUTDOWN)
|
||||
@@ -237,8 +239,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
return err;
|
||||
}
|
||||
|
||||
- msg->msg_namelen = 0;
|
||||
-
|
||||
copied = skb->len;
|
||||
if (len < copied) {
|
||||
msg->msg_flags |= MSG_TRUNC;
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
From 4a3ad999af6c1b9a872fb70f19842784779383ee Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:58 +0000
|
||||
Subject: [PATCH] NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()
|
||||
|
||||
Upstream d26d6504f23e803824e8ebd14e52d4fc0a0b09cb
|
||||
|
||||
The code in llcp_sock_recvmsg() does not initialize all the members of
|
||||
struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it
|
||||
initialize the padding bytes of the structure inserted by the compiler
|
||||
for alignment.
|
||||
|
||||
Also, if the socket is in state LLCP_CLOSED or is shutting down during
|
||||
receive the msg_namelen member is not updated to 0 while otherwise
|
||||
returning with 0, i.e. "success". The msg_namelen update is also
|
||||
missing for stream and seqpacket sockets which don't fill the sockaddr
|
||||
info.
|
||||
|
||||
Both issues lead to the fact that the code will leak uninitialized
|
||||
kernel stack bytes in net/socket.c.
|
||||
|
||||
Fix the first issue by initializing the memory used for sockaddr info
|
||||
with memset(0). Fix the second one by setting msg_namelen to 0 early.
|
||||
It will be updated later if we're going to fill the msg_name member.
|
||||
|
||||
Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
|
||||
Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
|
||||
Cc: Samuel Ortiz <sameo@linux.intel.com>
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
|
||||
Conflicts:
|
||||
net/nfc/llcp/sock.c
|
||||
---
|
||||
net/nfc/llcp/sock.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
|
||||
index fea22eb..48fb1de 100644
|
||||
--- a/net/nfc/llcp/sock.c
|
||||
+++ b/net/nfc/llcp/sock.c
|
||||
@@ -644,6 +644,8 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
|
||||
pr_debug("%p %zu\n", sk, len);
|
||||
|
||||
+ msg->msg_namelen = 0;
|
||||
+
|
||||
lock_sock(sk);
|
||||
|
||||
if (sk->sk_state == LLCP_CLOSED &&
|
||||
@@ -684,6 +686,7 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
|
||||
pr_debug("Datagram socket %d %d\n", ui_cb->dsap, ui_cb->ssap);
|
||||
|
||||
+ memset(&sockaddr, 0, sizeof(sockaddr));
|
||||
sockaddr.sa_family = AF_NFC;
|
||||
sockaddr.nfc_protocol = NFC_PROTO_NFC_DEP;
|
||||
sockaddr.dsap = ui_cb->dsap;
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
From 9b3e617f3df53822345a8573b6d358f6b9e5ed87 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:47 +0000
|
||||
Subject: [PATCH] atm: update msg_namelen in vcc_recvmsg()
|
||||
|
||||
The current code does not fill the msg_name member in case it is set.
|
||||
It also does not set the msg_namelen member to 0 and therefore makes
|
||||
net/socket.c leak the local, uninitialized sockaddr_storage variable
|
||||
to userland -- 128 bytes of kernel stack memory.
|
||||
|
||||
Fix that by simply setting msg_namelen to 0 as obviously nobody cared
|
||||
about vcc_recvmsg() not filling the msg_name in case it was set.
|
||||
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/atm/common.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/net/atm/common.c b/net/atm/common.c
|
||||
index 7b49100..737bef5 100644
|
||||
--- a/net/atm/common.c
|
||||
+++ b/net/atm/common.c
|
||||
@@ -531,6 +531,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
|
||||
struct sk_buff *skb;
|
||||
int copied, error = -EINVAL;
|
||||
|
||||
+ msg->msg_namelen = 0;
|
||||
+
|
||||
if (sock->state != SS_CONNECTED)
|
||||
return -ENOTCONN;
|
||||
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
From ef3313e84acbf349caecae942ab3ab731471f1a1 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:48 +0000
|
||||
Subject: [PATCH] ax25: fix info leak via msg_name in ax25_recvmsg()
|
||||
|
||||
When msg_namelen is non-zero the sockaddr info gets filled out, as
|
||||
requested, but the code fails to initialize the padding bytes of struct
|
||||
sockaddr_ax25 inserted by the compiler for alignment. Additionally the
|
||||
msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
|
||||
not always filled up to this size.
|
||||
|
||||
Both issues lead to the fact that the code will leak uninitialized
|
||||
kernel stack bytes in net/socket.c.
|
||||
|
||||
Fix both issues by initializing the memory with memset(0).
|
||||
|
||||
Cc: Ralf Baechle <ralf@linux-mips.org>
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ax25/af_ax25.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
|
||||
index 7b11f8b..e277e38 100644
|
||||
--- a/net/ax25/af_ax25.c
|
||||
+++ b/net/ax25/af_ax25.c
|
||||
@@ -1642,6 +1642,7 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
ax25_address src;
|
||||
const unsigned char *mac = skb_mac_header(skb);
|
||||
|
||||
+ memset(sax, 0, sizeof(struct full_sockaddr_ax25));
|
||||
ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
|
||||
&digi, NULL, NULL);
|
||||
sax->sax25_family = AF_AX25;
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
From 5ae94c0d2f0bed41d6718be743985d61b7f5c47d Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:53 +0000
|
||||
Subject: [PATCH] irda: Fix missing msg_namelen update in irda_recvmsg_dgram()
|
||||
|
||||
The current code does not fill the msg_name member in case it is set.
|
||||
It also does not set the msg_namelen member to 0 and therefore makes
|
||||
net/socket.c leak the local, uninitialized sockaddr_storage variable
|
||||
to userland -- 128 bytes of kernel stack memory.
|
||||
|
||||
Fix that by simply setting msg_namelen to 0 as obviously nobody cared
|
||||
about irda_recvmsg_dgram() not filling the msg_name in case it was
|
||||
set.
|
||||
|
||||
Cc: Samuel Ortiz <samuel@sortiz.org>
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/irda/af_irda.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
|
||||
index d28e7f0..e493b33 100644
|
||||
--- a/net/irda/af_irda.c
|
||||
+++ b/net/irda/af_irda.c
|
||||
@@ -1386,6 +1386,8 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock,
|
||||
|
||||
IRDA_DEBUG(4, "%s()\n", __func__);
|
||||
|
||||
+ msg->msg_namelen = 0;
|
||||
+
|
||||
skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
|
||||
flags & MSG_DONTWAIT, &err);
|
||||
if (!skb)
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
71
kernel.spec
71
kernel.spec
|
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 10
|
||||
%define stable_update 11
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
|
@ -787,39 +787,6 @@ Patch25010: wireless-regulatory-fix-channel-disabling-race-condition.patch
|
|||
#rhbz 951241
|
||||
Patch25011: iwlwifi-fix-freeing-uninitialized-pointer.patch
|
||||
|
||||
#CVE-2013-3222 rhbz 955216 955228
|
||||
Patch25014: atm-update-msg_namelen-in-vcc_recvmsg.patch
|
||||
|
||||
#CVE-2013-3224 rhbz 955599 955607
|
||||
Patch25015: Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
|
||||
|
||||
#CVE-2013-1979 rhbz 955629 955647
|
||||
Patch25016: net-fix-incorrect-credentials-passing.patch
|
||||
|
||||
#CVE-2013-3225 rhbz 955649 955658
|
||||
Patch25017: Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
|
||||
|
||||
#CVE-2013-3223 rhbz 955662 955666
|
||||
Patch25018: ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
|
||||
|
||||
#CVE-2013-3234 956135 956139
|
||||
Patch25020: rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
|
||||
|
||||
#CVE-2013-3233 956125 956129
|
||||
Patch25021: NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch
|
||||
|
||||
#CVE-2013-3232 956110 956113
|
||||
Patch25022: netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
|
||||
|
||||
#CVE-2013-3231 956094 956104
|
||||
Patch25023: llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
|
||||
|
||||
#CVE-2013-3230 956088 956089
|
||||
Patch25024: l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
|
||||
|
||||
#CVE-2013-3228 956069 956071
|
||||
Patch25025: irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1557,39 +1524,6 @@ ApplyPatch wireless-regulatory-fix-channel-disabling-race-condition.patch
|
|||
#rhbz 951241
|
||||
ApplyPatch iwlwifi-fix-freeing-uninitialized-pointer.patch
|
||||
|
||||
#CVE-2013-3222 rhbz 955216 955228
|
||||
ApplyPatch atm-update-msg_namelen-in-vcc_recvmsg.patch
|
||||
|
||||
#CVE-2013-3224 rhbz 955599 955607
|
||||
ApplyPatch Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
|
||||
|
||||
#CVE-2013-1979 rhbz 955629 955647
|
||||
ApplyPatch net-fix-incorrect-credentials-passing.patch
|
||||
|
||||
#CVE-2013-3225 rhbz 955649 955658
|
||||
ApplyPatch Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
|
||||
|
||||
#CVE-2013-3223 rhbz 955662 955666
|
||||
ApplyPatch ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
|
||||
|
||||
#CVE-2013-3234 956135 956139
|
||||
ApplyPatch rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
|
||||
|
||||
#CVE-2013-3233 956125 956129
|
||||
ApplyPatch NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch
|
||||
|
||||
#CVE-2013-3232 956110 956113
|
||||
ApplyPatch netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
|
||||
|
||||
#CVE-2013-3231 956094 956104
|
||||
ApplyPatch llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
|
||||
|
||||
#CVE-2013-3230 956088 956089
|
||||
ApplyPatch l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
|
||||
|
||||
#CVE-2013-3228 956069 956071
|
||||
ApplyPatch irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2447,6 +2381,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Wed May 01 2013 Justin M. Forbes <jforbes@redhat.com> - 3.8.11-200
|
||||
- Linux v3.8.11
|
||||
|
||||
* Mon Apr 29 2013 Justin M. Forbes <jforbes@redhat.com> - 3.8.10-200
|
||||
- Linux v3.8.10
|
||||
|
||||
|
|
|
|||
|
|
@ -1,32 +0,0 @@
|
|||
From b860d3cc62877fad02863e2a08efff69a19382d2 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:55 +0000
|
||||
Subject: [PATCH] l2tp: fix info leak in l2tp_ip6_recvmsg()
|
||||
|
||||
The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of
|
||||
struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack
|
||||
in l2tp_ip6_recvmsg() in case msg_name is set.
|
||||
|
||||
Initialize l2tp_conn_id with 0 to avoid the info leak.
|
||||
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/l2tp/l2tp_ip6.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
|
||||
index c74f5a9..b8a6039 100644
|
||||
--- a/net/l2tp/l2tp_ip6.c
|
||||
+++ b/net/l2tp/l2tp_ip6.c
|
||||
@@ -690,6 +690,7 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk,
|
||||
lsa->l2tp_addr = ipv6_hdr(skb)->saddr;
|
||||
lsa->l2tp_flowinfo = 0;
|
||||
lsa->l2tp_scope_id = 0;
|
||||
+ lsa->l2tp_conn_id = 0;
|
||||
if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
|
||||
lsa->l2tp_scope_id = IP6CB(skb)->iif;
|
||||
}
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
From c77a4b9cffb6215a15196ec499490d116dfad181 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:56 +0000
|
||||
Subject: [PATCH] llc: Fix missing msg_namelen update in llc_ui_recvmsg()
|
||||
|
||||
For stream sockets the code misses to update the msg_namelen member
|
||||
to 0 and therefore makes net/socket.c leak the local, uninitialized
|
||||
sockaddr_storage variable to userland -- 128 bytes of kernel stack
|
||||
memory. The msg_namelen update is also missing for datagram sockets
|
||||
in case the socket is shutting down during receive.
|
||||
|
||||
Fix both issues by setting msg_namelen to 0 early. It will be
|
||||
updated later if we're going to fill the msg_name member.
|
||||
|
||||
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/llc/af_llc.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
|
||||
index 8870988..48aaa89 100644
|
||||
--- a/net/llc/af_llc.c
|
||||
+++ b/net/llc/af_llc.c
|
||||
@@ -720,6 +720,8 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
int target; /* Read at least this many bytes */
|
||||
long timeo;
|
||||
|
||||
+ msg->msg_namelen = 0;
|
||||
+
|
||||
lock_sock(sk);
|
||||
copied = -ENOTCONN;
|
||||
if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN))
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
From 83f1b4ba917db5dc5a061a44b3403ddb6e783494 Mon Sep 17 00:00:00 2001
|
||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Fri, 19 Apr 2013 15:32:32 +0000
|
||||
Subject: [PATCH] net: fix incorrect credentials passing
|
||||
|
||||
Commit 257b5358b32f ("scm: Capture the full credentials of the scm
|
||||
sender") changed the credentials passing code to pass in the effective
|
||||
uid/gid instead of the real uid/gid.
|
||||
|
||||
Obviously this doesn't matter most of the time (since normally they are
|
||||
the same), but it results in differences for suid binaries when the wrong
|
||||
uid/gid ends up being used.
|
||||
|
||||
This just undoes that (presumably unintentional) part of the commit.
|
||||
|
||||
Reported-by: Andy Lutomirski <luto@amacapital.net>
|
||||
Cc: Eric W. Biederman <ebiederm@xmission.com>
|
||||
Cc: Serge E. Hallyn <serge@hallyn.com>
|
||||
Cc: David S. Miller <davem@davemloft.net>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
include/net/scm.h | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/include/net/scm.h b/include/net/scm.h
|
||||
index 975cca0..b117081 100644
|
||||
--- a/include/net/scm.h
|
||||
+++ b/include/net/scm.h
|
||||
@@ -56,8 +56,8 @@ static __inline__ void scm_set_cred(struct scm_cookie *scm,
|
||||
scm->pid = get_pid(pid);
|
||||
scm->cred = cred ? get_cred(cred) : NULL;
|
||||
scm->creds.pid = pid_vnr(pid);
|
||||
- scm->creds.uid = cred ? cred->euid : INVALID_UID;
|
||||
- scm->creds.gid = cred ? cred->egid : INVALID_GID;
|
||||
+ scm->creds.uid = cred ? cred->uid : INVALID_UID;
|
||||
+ scm->creds.gid = cred ? cred->gid : INVALID_GID;
|
||||
}
|
||||
|
||||
static __inline__ void scm_destroy_cred(struct scm_cookie *scm)
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
From fdbf33caa22d6648227c39c48ae395fb36e4bd7f Mon Sep 17 00:00:00 2001
|
||||
From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
|
||||
Date: Tue, 9 Apr 2013 10:07:19 +0800
|
||||
Subject: [PATCH] netrom: fix invalid use of sizeof in nr_recvmsg()
|
||||
|
||||
Upstream c802d759623acbd6e1ee9fbdabae89159a513913
|
||||
|
||||
sizeof() when applied to a pointer typed expression gives the size of the
|
||||
pointer, not that of the pointed data.
|
||||
Introduced by commit 3ce5ef(netrom: fix info leak via msg_name in nr_recvmsg)
|
||||
|
||||
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
|
||||
Conflicts:
|
||||
net/netrom/af_netrom.c
|
||||
---
|
||||
net/netrom/af_netrom.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
|
||||
index 7261eb8..f334fbd 100644
|
||||
--- a/net/netrom/af_netrom.c
|
||||
+++ b/net/netrom/af_netrom.c
|
||||
@@ -1177,6 +1177,7 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
}
|
||||
|
||||
if (sax != NULL) {
|
||||
+ memset(sax, 0, sizeof(*sax));
|
||||
sax->sax25_family = AF_NETROM;
|
||||
skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
|
||||
AX25_ADDR_LEN);
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
From 4a184233f21645cf0b719366210ed445d1024d72 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:59 +0000
|
||||
Subject: [PATCH] rose: fix info leak via msg_name in rose_recvmsg()
|
||||
|
||||
The code in rose_recvmsg() does not initialize all of the members of
|
||||
struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
|
||||
Nor does it initialize the padding bytes of the structure inserted by
|
||||
the compiler for alignment. This will lead to leaking uninitialized
|
||||
kernel stack bytes in net/socket.c.
|
||||
|
||||
Fix the issue by initializing the memory used for sockaddr info with
|
||||
memset(0).
|
||||
|
||||
Cc: Ralf Baechle <ralf@linux-mips.org>
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/rose/af_rose.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
|
||||
index cf68e6e..9c83474 100644
|
||||
--- a/net/rose/af_rose.c
|
||||
+++ b/net/rose/af_rose.c
|
||||
@@ -1253,6 +1253,7 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
|
||||
|
||||
if (srose != NULL) {
|
||||
+ memset(srose, 0, msg->msg_namelen);
|
||||
srose->srose_family = AF_ROSE;
|
||||
srose->srose_addr = rose->dest_addr;
|
||||
srose->srose_call = rose->dest_call;
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
Loading…
Reference in New Issue