| Message ID | 1369051603-12756-1-git-send-email-luis.henriques@canonical.com |
|---|---|
| State | New |
| Headers | show |
On Mon, May 20, 2013 at 01:06:43PM +0100, Luis Henriques wrote: > From: Mathias Krause <minipli@googlemail.com> > > CVE-2013-3231 > > BugLink: https://bugs.launchpad.net/bugs/1172385 > > For stream sockets the code misses to update the msg_namelen member > to 0 and therefore makes net/socket.c leak the local, uninitialized > sockaddr_storage variable to userland -- 128 bytes of kernel stack > memory. The msg_namelen update is also missing for datagram sockets > in case the socket is shutting down during receive. > > Fix both issues by setting msg_namelen to 0 early. It will be > updated later if we're going to fill the msg_name member. > > Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> > Signed-off-by: Mathias Krause <minipli@googlemail.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit c77a4b9cffb6215a15196ec499490d116dfad181) > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > net/llc/af_llc.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c > index 606b6ad..8a814a5 100644 > --- a/net/llc/af_llc.c > +++ b/net/llc/af_llc.c > @@ -674,6 +674,8 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock, > int target; /* Read at least this many bytes */ > long timeo; > > + msg->msg_namelen = 0; > + > lock_sock(sk); > copied = -ENOTCONN; > if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN)) > -- > 1.8.1.2 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Cheers, -- Luis
On Mon, May 20, 2013 at 01:06:43PM +0100, Luis Henriques wrote: > From: Mathias Krause <minipli@googlemail.com> > > CVE-2013-3231 > > BugLink: https://bugs.launchpad.net/bugs/1172385 > > For stream sockets the code misses to update the msg_namelen member > to 0 and therefore makes net/socket.c leak the local, uninitialized > sockaddr_storage variable to userland -- 128 bytes of kernel stack > memory. The msg_namelen update is also missing for datagram sockets > in case the socket is shutting down during receive. > > Fix both issues by setting msg_namelen to 0 early. It will be > updated later if we're going to fill the msg_name member. > > Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> > Signed-off-by: Mathias Krause <minipli@googlemail.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit c77a4b9cffb6215a15196ec499490d116dfad181) > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > net/llc/af_llc.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c > index 606b6ad..8a814a5 100644 > --- a/net/llc/af_llc.c > +++ b/net/llc/af_llc.c > @@ -674,6 +674,8 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock, > int target; /* Read at least this many bytes */ > long timeo; > > + msg->msg_namelen = 0; > + > lock_sock(sk); > copied = -ENOTCONN; > if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN)) Clean cherry-pick of upstream of above sha1. Looks to do what is claimed. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c index 606b6ad..8a814a5 100644 --- a/net/llc/af_llc.c +++ b/net/llc/af_llc.c @@ -674,6 +674,8 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock, int target; /* Read at least this many bytes */ long timeo; + msg->msg_namelen = 0; + lock_sock(sk); copied = -ENOTCONN; if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN))