[Lucid Precise Quantal CVE-2013-3234] rose: fix info leak via msg_name in rose_recvmsg()

Luis Henriques luis.henriques at canonical.com
Thu May 9 14:07:53 UTC 2013


From: Mathias Krause <minipli at googlemail.com>

CVE-2013-3234

BugLink: https://bugs.launchpad.net/bugs/1172394

The code in rose_recvmsg() does not initialize all of the members of
struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
Nor does it initialize the padding bytes of the structure inserted by
the compiler for alignment. This will lead to leaking uninitialized
kernel stack bytes in net/socket.c.

Fix the issue by initializing the memory used for sockaddr info with
memset(0).

Cc: Ralf Baechle <ralf at linux-mips.org>
Signed-off-by: Mathias Krause <minipli at googlemail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit 4a184233f21645cf0b719366210ed445d1024d72)

Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 net/rose/af_rose.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 523efbb..2984999 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -1275,6 +1275,7 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
 	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
 
 	if (srose != NULL) {
+		memset(srose, 0, msg->msg_namelen);
 		srose->srose_family = AF_ROSE;
 		srose->srose_addr   = rose->dest_addr;
 		srose->srose_call   = rose->dest_call;
-- 
1.8.1.2




More information about the kernel-team mailing list