Message ID | 1368093727-6859-1-git-send-email-luis.henriques@canonical.com |
---|---|
State | New |
Headers | show |
On Thu, May 09, 2013 at 11:02:07AM +0100, Luis Henriques wrote: > From: Mathias Krause <minipli@googlemail.com> > > CVE-2013-3225 > > BugLink: https://bugs.launchpad.net/bugs/1172369 > > If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns > early with 0 without updating the possibly set msg_namelen member. This, > in turn, leads to a 128 byte kernel stack leak in net/socket.c. > > Fix this by updating msg_namelen in this case. For all other cases it > will be handled in bt_sock_stream_recvmsg(). > > Cc: Marcel Holtmann <marcel@holtmann.org> > Cc: Gustavo Padovan <gustavo@padovan.org> > Cc: Johan Hedberg <johan.hedberg@gmail.com> > Signed-off-by: Mathias Krause <minipli@googlemail.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit e11e0455c0d7d3d62276a0c55d9dfbc16779d691) > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > net/bluetooth/rfcomm/sock.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c > index ce3f665..970fc13 100644 > --- a/net/bluetooth/rfcomm/sock.c > +++ b/net/bluetooth/rfcomm/sock.c > @@ -610,6 +610,7 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock, > > if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { > rfcomm_dlc_accept(d); > + msg->msg_namelen = 0; > return 0; > } Looks to be a clean cherry-pick. Looks to do what is claimed. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index ce3f665..970fc13 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -610,6 +610,7 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock, if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { rfcomm_dlc_accept(d); + msg->msg_namelen = 0; return 0; }