Patchwork [Lucid,Precise,Quantal,CVE-2013-3234] rose: fix info leak via msg_name in rose_recvmsg()

login
register
mail settings
Submitter Luis Henriques
Date May 9, 2013, 2:07 p.m.
Message ID <1368108473-13250-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/242763/
State New
Headers show

Comments

Luis Henriques - May 9, 2013, 2:07 p.m.
From: Mathias Krause <minipli@googlemail.com>

CVE-2013-3234

BugLink: https://bugs.launchpad.net/bugs/1172394

The code in rose_recvmsg() does not initialize all of the members of
struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
Nor does it initialize the padding bytes of the structure inserted by
the compiler for alignment. This will lead to leaking uninitialized
kernel stack bytes in net/socket.c.

Fix the issue by initializing the memory used for sockaddr info with
memset(0).

Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 4a184233f21645cf0b719366210ed445d1024d72)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/rose/af_rose.c | 1 +
 1 file changed, 1 insertion(+)
Stefan Bader - May 9, 2013, 2:55 p.m.

Tim Gardner - May 9, 2013, 3:13 p.m.

Patch

diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 523efbb..2984999 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -1275,6 +1275,7 @@  static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
 	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
 
 	if (srose != NULL) {
+		memset(srose, 0, msg->msg_namelen);
 		srose->srose_family = AF_ROSE;
 		srose->srose_addr   = rose->dest_addr;
 		srose->srose_call   = rose->dest_call;