[Acked] [Precise Quantal CVE-2013-3224] Bluetooth: fix possible info leak in bt_sock_recvmsg()
Andy Whitcroft
apw at canonical.com
Thu May 9 10:51:22 UTC 2013
On Thu, May 09, 2013 at 11:01:58AM +0100, Luis Henriques wrote:
> From: Mathias Krause <minipli at googlemail.com>
>
> CVE-2013-3224
>
> BugLink: https://bugs.launchpad.net/bugs/1172368
>
> In case the socket is already shutting down, bt_sock_recvmsg() returns
> with 0 without updating msg_namelen leading to net/socket.c leaking the
> local, uninitialized sockaddr_storage variable to userland -- 128 bytes
> of kernel stack memory.
>
> Fix this by moving the msg_namelen assignment in front of the shutdown
> test.
>
> Cc: Marcel Holtmann <marcel at holtmann.org>
> Cc: Gustavo Padovan <gustavo at padovan.org>
> Cc: Johan Hedberg <johan.hedberg at gmail.com>
> Signed-off-by: Mathias Krause <minipli at googlemail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit 4683f42fde3977bdb4e8a09622788cc8b5313778)
>
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> net/bluetooth/af_bluetooth.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
> index 5355df6..b04795e 100644
> --- a/net/bluetooth/af_bluetooth.c
> +++ b/net/bluetooth/af_bluetooth.c
> @@ -230,6 +230,8 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
> if (flags & (MSG_OOB))
> return -EOPNOTSUPP;
>
> + msg->msg_namelen = 0;
> +
> skb = skb_recv_datagram(sk, flags, noblock, &err);
> if (!skb) {
> if (sk->sk_shutdown & RCV_SHUTDOWN)
> @@ -237,8 +239,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
> return err;
> }
>
> - msg->msg_namelen = 0;
> -
> copied = skb->len;
> if (len < copied) {
> msg->msg_flags |= MSG_TRUNC;
Looks to be a cherry-pick. Looks to do what is claimed.
Acked-by: Andy Whitcroft <apw at canonical.com>
-apw
More information about the kernel-team
mailing list