Message ID | 1368093673-6595-1-git-send-email-luis.henriques@canonical.com |
---|---|
State | New |
Headers | show |
On Thu, May 09, 2013 at 11:01:13AM +0100, Luis Henriques wrote: > From: Mathias Krause <minipli@googlemail.com> > > CVE-2013-3076 > > BugLink: https://bugs.launchpad.net/bugs/1172363 > > The current code does not set the msg_namelen member to 0 and therefore > makes net/socket.c leak the local sockaddr_storage variable to userland > -- 128 bytes of kernel stack memory. Fix that. > > Cc: <stable@vger.kernel.org> # 2.6.38 > Signed-off-by: Mathias Krause <minipli@googlemail.com> > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> > (cherry picked from commit 72a763d805a48ac8c0bf48fdb510e84c12de51fe) > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > crypto/algif_hash.c | 2 ++ > crypto/algif_skcipher.c | 1 + > 2 files changed, 3 insertions(+) > > diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c > index ef5356c..0262210 100644 > --- a/crypto/algif_hash.c > +++ b/crypto/algif_hash.c > @@ -161,6 +161,8 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock, > else if (len < ds) > msg->msg_flags |= MSG_TRUNC; > > + msg->msg_namelen = 0; > + > lock_sock(sk); > if (ctx->more) { > ctx->more = 0; > diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c > index 6a6dfc0..a1c4f0a 100644 > --- a/crypto/algif_skcipher.c > +++ b/crypto/algif_skcipher.c > @@ -432,6 +432,7 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock, > long copied = 0; > > lock_sock(sk); > + msg->msg_namelen = 0; > for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0; > iovlen--, iov++) { > unsigned long seglen = iov->iov_len; Seems to be an upstream cherry-pick as stated, looks to do what is claimed. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c index ef5356c..0262210 100644 --- a/crypto/algif_hash.c +++ b/crypto/algif_hash.c @@ -161,6 +161,8 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock, else if (len < ds) msg->msg_flags |= MSG_TRUNC; + msg->msg_namelen = 0; + lock_sock(sk); if (ctx->more) { ctx->more = 0; diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index 6a6dfc0..a1c4f0a 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -432,6 +432,7 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock, long copied = 0; lock_sock(sk); + msg->msg_namelen = 0; for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0; iovlen--, iov++) { unsigned long seglen = iov->iov_len;