[Lucid CVE-2013-3232] netrom: fix info leak via msg_name in nr_recvmsg()
Luis Henriques
luis.henriques at canonical.com
Mon May 20 12:10:24 UTC 2013
On Mon, May 20, 2013 at 01:06:49PM +0100, Luis Henriques wrote:
> From: Mathias Krause <minipli at googlemail.com>
>
> CVE-2013-3232
>
> BugLink: https://bugs.launchpad.net/bugs/1172386
>
> In case msg_name is set the sockaddr info gets filled out, as
> requested, but the code fails to initialize the padding bytes of
> struct sockaddr_ax25 inserted by the compiler for alignment. Also
> the sax25_ndigis member does not get assigned, leaking four more
> bytes.
>
> Both issues lead to the fact that the code will leak uninitialized
> kernel stack bytes in net/socket.c.
>
> Fix both issues by initializing the memory with memset(0).
>
> Cc: Ralf Baechle <ralf at linux-mips.org>
> Signed-off-by: Mathias Krause <minipli at googlemail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit 3ce5efad47b62c57a4f5c54248347085a750ce0e)
>
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> net/netrom/af_netrom.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
> index 7a83495..d240523 100644
> --- a/net/netrom/af_netrom.c
> +++ b/net/netrom/af_netrom.c
> @@ -1181,6 +1181,7 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
> skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
>
> if (sax != NULL) {
> + memset(sax, 0, sizeof(sax));
> sax->sax25_family = AF_NETROM;
> skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
> AX25_ADDR_LEN);
> --
> 1.8.1.2
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Cheers,
--
Luis
More information about the kernel-team
mailing list