[Acked] [Lucid CVE-2013-3224] Bluetooth: fix possible info leak in bt_sock_recvmsg()

[Andy Whitcroft]

On Thu, May 09, 2013 at 11:01:57AM +0100, Luis Henriques wrote:
> From: Mathias Krause <minipli at googlemail.com>
> 
> CVE-2013-3224
> 
> BugLink: https://bugs.launchpad.net/bugs/1172368
> 
> In case the socket is already shutting down, bt_sock_recvmsg() returns
> with 0 without updating msg_namelen leading to net/socket.c leaking the
> local, uninitialized sockaddr_storage variable to userland -- 128 bytes
> of kernel stack memory.
> 
> Fix this by moving the msg_namelen assignment in front of the shutdown
> test.
> 
> Cc: Marcel Holtmann <marcel at holtmann.org>
> Cc: Gustavo Padovan <gustavo at padovan.org>
> Cc: Johan Hedberg <johan.hedberg at gmail.com>
> Signed-off-by: Mathias Krause <minipli at googlemail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (back ported from commit 4683f42fde3977bdb4e8a09622788cc8b5313778)
> 
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  net/bluetooth/af_bluetooth.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
> index 8cfb5a8..d7239dd 100644
> --- a/net/bluetooth/af_bluetooth.c
> +++ b/net/bluetooth/af_bluetooth.c
> @@ -240,14 +240,14 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
>  	if (flags & (MSG_OOB))
>  		return -EOPNOTSUPP;
>  
> +	msg->msg_namelen = 0;
> +
>  	if (!(skb = skb_recv_datagram(sk, flags, noblock, &err))) {
>  		if (sk->sk_shutdown & RCV_SHUTDOWN)
>  			return 0;
>  		return err;
>  	}
>  
> -	msg->msg_namelen = 0;
> -
>  	copied = skb->len;
>  	if (len < copied) {
>  		msg->msg_flags |= MSG_TRUNC;

Looks to be a faithful backport.  Looks to do what is claimed.

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw