Patchwork [Quantal,Precise,CVE-2013-3076] crypto: algif - suppress sending source address information in recvmsg

login
register
mail settings
Submitter Luis Henriques
Date May 9, 2013, 10:01 a.m.
Message ID <1368093673-6595-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/242740/
State New
Headers show

Comments

Luis Henriques - May 9, 2013, 10:01 a.m.
From: Mathias Krause <minipli@googlemail.com>

CVE-2013-3076

BugLink: https://bugs.launchpad.net/bugs/1172363

The current code does not set the msg_namelen member to 0 and therefore
makes net/socket.c leak the local sockaddr_storage variable to userland
-- 128 bytes of kernel stack memory. Fix that.

Cc: <stable@vger.kernel.org> # 2.6.38
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 72a763d805a48ac8c0bf48fdb510e84c12de51fe)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 crypto/algif_hash.c     | 2 ++
 crypto/algif_skcipher.c | 1 +
 2 files changed, 3 insertions(+)
Andy Whitcroft - May 9, 2013, 10:44 a.m.
On Thu, May 09, 2013 at 11:01:13AM +0100, Luis Henriques wrote:
> From: Mathias Krause <minipli@googlemail.com>
> 
> CVE-2013-3076
> 
> BugLink: https://bugs.launchpad.net/bugs/1172363
> 
> The current code does not set the msg_namelen member to 0 and therefore
> makes net/socket.c leak the local sockaddr_storage variable to userland
> -- 128 bytes of kernel stack memory. Fix that.
> 
> Cc: <stable@vger.kernel.org> # 2.6.38
> Signed-off-by: Mathias Krause <minipli@googlemail.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> (cherry picked from commit 72a763d805a48ac8c0bf48fdb510e84c12de51fe)
> 
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> ---
>  crypto/algif_hash.c     | 2 ++
>  crypto/algif_skcipher.c | 1 +
>  2 files changed, 3 insertions(+)
> 
> diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
> index ef5356c..0262210 100644
> --- a/crypto/algif_hash.c
> +++ b/crypto/algif_hash.c
> @@ -161,6 +161,8 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock,
>  	else if (len < ds)
>  		msg->msg_flags |= MSG_TRUNC;
>  
> +	msg->msg_namelen = 0;
> +
>  	lock_sock(sk);
>  	if (ctx->more) {
>  		ctx->more = 0;
> diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
> index 6a6dfc0..a1c4f0a 100644
> --- a/crypto/algif_skcipher.c
> +++ b/crypto/algif_skcipher.c
> @@ -432,6 +432,7 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock,
>  	long copied = 0;
>  
>  	lock_sock(sk);
> +	msg->msg_namelen = 0;
>  	for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
>  	     iovlen--, iov++) {
>  		unsigned long seglen = iov->iov_len;

Seems to be an upstream cherry-pick as stated, looks to do what is
claimed.

Acked-by: Andy Whitcroft <apw@canonical.com>

-apw
Stefan Bader - May 9, 2013, 1 p.m.

Tim Gardner - May 9, 2013, 2:39 p.m.

Patch

diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
index ef5356c..0262210 100644
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -161,6 +161,8 @@  static int hash_recvmsg(struct kiocb *unused, struct socket *sock,
 	else if (len < ds)
 		msg->msg_flags |= MSG_TRUNC;
 
+	msg->msg_namelen = 0;
+
 	lock_sock(sk);
 	if (ctx->more) {
 		ctx->more = 0;
diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index 6a6dfc0..a1c4f0a 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -432,6 +432,7 @@  static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock,
 	long copied = 0;
 
 	lock_sock(sk);
+	msg->msg_namelen = 0;
 	for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
 	     iovlen--, iov++) {
 		unsigned long seglen = iov->iov_len;