[Acked] [Lucid Precise Quantal CVE-2013-3223] ax25: fix info leak via msg_name in ax25_recvmsg()
Andy Whitcroft
apw at canonical.com
Thu May 9 10:47:26 UTC 2013
On Thu, May 09, 2013 at 11:01:48AM +0100, Luis Henriques wrote:
> From: Mathias Krause <minipli at googlemail.com>
>
> CVE-2013-3223
>
> BugLink: https://bugs.launchpad.net/bugs/1172366
>
> When msg_namelen is non-zero the sockaddr info gets filled out, as
> requested, but the code fails to initialize the padding bytes of struct
> sockaddr_ax25 inserted by the compiler for alignment. Additionally the
> msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
> not always filled up to this size.
>
> Both issues lead to the fact that the code will leak uninitialized
> kernel stack bytes in net/socket.c.
>
> Fix both issues by initializing the memory with memset(0).
>
> Cc: Ralf Baechle <ralf at linux-mips.org>
> Signed-off-by: Mathias Krause <minipli at googlemail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit ef3313e84acbf349caecae942ab3ab731471f1a1)
>
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> net/ax25/af_ax25.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
> index 779095d..d53a123 100644
> --- a/net/ax25/af_ax25.c
> +++ b/net/ax25/af_ax25.c
> @@ -1647,6 +1647,7 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock,
> ax25_address src;
> const unsigned char *mac = skb_mac_header(skb);
>
> + memset(sax, 0, sizeof(struct full_sockaddr_ax25));
> ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
> &digi, NULL, NULL);
> sax->sax25_family = AF_AX25;
Clean cherry-pick, seems to do what is claimed.
Acked-by: Andy Whitcroft <apw at canonical.com>
-apw
More information about the kernel-team
mailing list