[Quantal CVE-2013-3222] atm: update msg_namelen in vcc_recvmsg()
Luis Henriques
luis.henriques at canonical.com
Thu May 9 10:01:40 UTC 2013
From: Mathias Krause <minipli at googlemail.com>
CVE-2013-3222
BugLink: https://bugs.launchpad.net/bugs/1172365
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.
Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about vcc_recvmsg() not filling the msg_name in case it was set.
Signed-off-by: Mathias Krause <minipli at googlemail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit 9b3e617f3df53822345a8573b6d358f6b9e5ed87)
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
net/atm/common.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/atm/common.c b/net/atm/common.c
index 806fc0a..cf4b7e6 100644
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -532,6 +532,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
struct sk_buff *skb;
int copied, error = -EINVAL;
+ msg->msg_namelen = 0;
+
if (sock->state != SS_CONNECTED)
return -ENOTCONN;
--
1.8.1.2
More information about the kernel-team
mailing list