CVE-2013-2234 net: information leak in AF_KEY notify (rhbz 980995 981007)

2013-07-03 15:36:22 -04:00 · 2013-07-03 15:36:22 -04:00 · d85f8a309c
parent 1afd520f13
commit d85f8a309c
2 changed files with 44 additions and 0 deletions
--- a/af_key-fix-info-leaks-in-notify-messages.patch
+++ b/af_key-fix-info-leaks-in-notify-messages.patch
@ -0,0 +1,37 @@
+From a5cc68f3d63306d0d288f31edfc2ae6ef8ecd887 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 26 Jun 2013 21:52:30 +0000
+Subject: af_key: fix info leaks in notify messages
+
+key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
+the sadb_msg_reserved member of the broadcasted message and thereby
+leak 2 bytes of heap memory to listeners. Fix that.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index c5fbd75..9da8620 100644
+--- a/net/key/af_key.c
+++ b/net/key/af_key.c
+@@ -1710,6 +1710,7 @@ static int key_notify_sa_flush(const struct km_event *c)
+ 	hdr->sadb_msg_version = PF_KEY_V2;
+ 	hdr->sadb_msg_errno = (uint8_t) 0;
+ 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
+	hdr->sadb_msg_reserved = 0;
+ 
+ 	pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+ 
+@@ -2699,6 +2700,7 @@ static int key_notify_policy_flush(const struct km_event *c)
+ 	hdr->sadb_msg_errno = (uint8_t) 0;
+ 	hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;
+ 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
+	hdr->sadb_msg_reserved = 0;
+ 	pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+ 	return 0;
+ 
+--
+cgit v0.9.2
--- a/kernel.spec
+++ b/kernel.spec
@ -791,6 +791,9 @@ Patch25055: ath3k-dont-use-stack-memory-for-DMA.patch
 Patch25056: iwl3945-better-skb-management-in-rx-path.patch
 Patch25057: iwl4965-better-skb-management-in-rx-path.patch

+#CVE-2013-2234 rhbz 980995 981007
+Patch25058: af_key-fix-info-leaks-in-notify-messages.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -1520,6 +1523,9 @@ ApplyPatch ath3k-dont-use-stack-memory-for-DMA.patch
 ApplyPatch iwl3945-better-skb-management-in-rx-path.patch
 ApplyPatch iwl4965-better-skb-management-in-rx-path.patch

+#CVE-2013-2234 rhbz 980995 981007
+ApplyPatch af_key-fix-info-leaks-in-notify-messages.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2366,6 +2372,7 @@ fi
 #                 ||     ||
 %changelog
 * Wed Jul 03 2013 Josh Boyer <jwboyer@redhat.com>
+- CVE-2013-2234 net: information leak in AF_KEY notify (rhbz 980995 981007)
 - Linux v3.9.9

 * Wed Jul 03 2013 Josh Boyer <jwboyer@redhat.com>