[Acked] [Lucid Precise Quantal CVE-2013-3225] Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()
Andy Whitcroft
apw at canonical.com
Thu May 9 10:52:45 UTC 2013
On Thu, May 09, 2013 at 11:02:07AM +0100, Luis Henriques wrote:
> From: Mathias Krause <minipli at googlemail.com>
>
> CVE-2013-3225
>
> BugLink: https://bugs.launchpad.net/bugs/1172369
>
> If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
> early with 0 without updating the possibly set msg_namelen member. This,
> in turn, leads to a 128 byte kernel stack leak in net/socket.c.
>
> Fix this by updating msg_namelen in this case. For all other cases it
> will be handled in bt_sock_stream_recvmsg().
>
> Cc: Marcel Holtmann <marcel at holtmann.org>
> Cc: Gustavo Padovan <gustavo at padovan.org>
> Cc: Johan Hedberg <johan.hedberg at gmail.com>
> Signed-off-by: Mathias Krause <minipli at googlemail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit e11e0455c0d7d3d62276a0c55d9dfbc16779d691)
>
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> net/bluetooth/rfcomm/sock.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
> index ce3f665..970fc13 100644
> --- a/net/bluetooth/rfcomm/sock.c
> +++ b/net/bluetooth/rfcomm/sock.c
> @@ -610,6 +610,7 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
>
> if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
> rfcomm_dlc_accept(d);
> + msg->msg_namelen = 0;
> return 0;
> }
Looks to be a clean cherry-pick. Looks to do what is claimed.
Acked-by: Andy Whitcroft <apw at canonical.com>
-apw
More information about the kernel-team
mailing list