CVE-2013-3234 rose: info leak via msg_name in rose_recvmsg (rhbz 956135 956139)
This commit is contained in:
parent
d698a1000a
commit
eaa7646216
|
@ -817,6 +817,9 @@ Patch25018: ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
|
|||
#CVE-2013-3076 956162 956168
|
||||
Patch25019: crypto-algif-suppress-sending-source-address-informa.patch
|
||||
|
||||
#CVE-2013-3234 956135 956139
|
||||
Patch25020: rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1584,6 +1587,9 @@ ApplyPatch ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
|
|||
#CVE-2013-3076 956162 956168
|
||||
ApplyPatch crypto-algif-suppress-sending-source-address-informa.patch
|
||||
|
||||
#CVE-2013-3234 956135 956139
|
||||
ApplyPatch rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2442,6 +2448,7 @@ fi
|
|||
# || ||
|
||||
%changelog
|
||||
* Wed Apr 24 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-3234 rose: info leak via msg_name in rose_recvmsg (rhbz 956135 956139)
|
||||
- CVE-2013-3076 crypto: algif suppress sending src addr info in recvmsg (rhbz 956162 956168)
|
||||
|
||||
* Tue Apr 23 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
From 4a184233f21645cf0b719366210ed445d1024d72 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:59 +0000
|
||||
Subject: [PATCH] rose: fix info leak via msg_name in rose_recvmsg()
|
||||
|
||||
The code in rose_recvmsg() does not initialize all of the members of
|
||||
struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
|
||||
Nor does it initialize the padding bytes of the structure inserted by
|
||||
the compiler for alignment. This will lead to leaking uninitialized
|
||||
kernel stack bytes in net/socket.c.
|
||||
|
||||
Fix the issue by initializing the memory used for sockaddr info with
|
||||
memset(0).
|
||||
|
||||
Cc: Ralf Baechle <ralf@linux-mips.org>
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/rose/af_rose.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
|
||||
index cf68e6e..9c83474 100644
|
||||
--- a/net/rose/af_rose.c
|
||||
+++ b/net/rose/af_rose.c
|
||||
@@ -1253,6 +1253,7 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
|
||||
|
||||
if (srose != NULL) {
|
||||
+ memset(srose, 0, msg->msg_namelen);
|
||||
srose->srose_family = AF_ROSE;
|
||||
srose->srose_addr = rose->dest_addr;
|
||||
srose->srose_call = rose->dest_call;
|
||||
--
|
||||
1.8.1.4
|
||||
|
Loading…
Reference in New Issue