[Acked] [Quantal CVE-2013-3222] atm: update msg_namelen in vcc_recvmsg()
Andy Whitcroft
apw at canonical.com
Thu May 9 10:46:27 UTC 2013
On Thu, May 09, 2013 at 11:01:40AM +0100, Luis Henriques wrote:
> From: Mathias Krause <minipli at googlemail.com>
>
> CVE-2013-3222
>
> BugLink: https://bugs.launchpad.net/bugs/1172365
>
> The current code does not fill the msg_name member in case it is set.
> It also does not set the msg_namelen member to 0 and therefore makes
> net/socket.c leak the local, uninitialized sockaddr_storage variable
> to userland -- 128 bytes of kernel stack memory.
>
> Fix that by simply setting msg_namelen to 0 as obviously nobody cared
> about vcc_recvmsg() not filling the msg_name in case it was set.
>
> Signed-off-by: Mathias Krause <minipli at googlemail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit 9b3e617f3df53822345a8573b6d358f6b9e5ed87)
>
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> net/atm/common.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/atm/common.c b/net/atm/common.c
> index 806fc0a..cf4b7e6 100644
> --- a/net/atm/common.c
> +++ b/net/atm/common.c
> @@ -532,6 +532,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
> struct sk_buff *skb;
> int copied, error = -EINVAL;
>
> + msg->msg_namelen = 0;
> +
> if (sock->state != SS_CONNECTED)
> return -ENOTCONN;
Looks to be a cherry-pick indeed, and to do what is claimed.
Acked-by: Andy Whitcroft <apw at canonical.com>
-apw
More information about the kernel-team
mailing list