diff --git a/NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch b/NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch new file mode 100644 index 000000000..e518cca51 --- /dev/null +++ b/NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch @@ -0,0 +1,61 @@ +From 4a3ad999af6c1b9a872fb70f19842784779383ee Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 7 Apr 2013 01:51:58 +0000 +Subject: [PATCH] NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg() + +Upstream d26d6504f23e803824e8ebd14e52d4fc0a0b09cb + +The code in llcp_sock_recvmsg() does not initialize all the members of +struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it +initialize the padding bytes of the structure inserted by the compiler +for alignment. + +Also, if the socket is in state LLCP_CLOSED or is shutting down during +receive the msg_namelen member is not updated to 0 while otherwise +returning with 0, i.e. "success". The msg_namelen update is also +missing for stream and seqpacket sockets which don't fill the sockaddr +info. + +Both issues lead to the fact that the code will leak uninitialized +kernel stack bytes in net/socket.c. + +Fix the first issue by initializing the memory used for sockaddr info +with memset(0). Fix the second one by setting msg_namelen to 0 early. +It will be updated later if we're going to fill the msg_name member. + +Cc: Lauro Ramos Venancio +Cc: Aloisio Almeida Jr +Cc: Samuel Ortiz +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller + +Conflicts: + net/nfc/llcp/sock.c +--- + net/nfc/llcp/sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c +index fea22eb..48fb1de 100644 +--- a/net/nfc/llcp/sock.c ++++ b/net/nfc/llcp/sock.c +@@ -644,6 +644,8 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + + pr_debug("%p %zu\n", sk, len); + ++ msg->msg_namelen = 0; ++ + lock_sock(sk); + + if (sk->sk_state == LLCP_CLOSED && +@@ -684,6 +686,7 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + + pr_debug("Datagram socket %d %d\n", ui_cb->dsap, ui_cb->ssap); + ++ memset(&sockaddr, 0, sizeof(sockaddr)); + sockaddr.sa_family = AF_NFC; + sockaddr.nfc_protocol = NFC_PROTO_NFC_DEP; + sockaddr.dsap = ui_cb->dsap; +-- +1.8.1.4 + diff --git a/kernel.spec b/kernel.spec index 5109dc75c..f7c6b84c0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -820,6 +820,9 @@ Patch25019: crypto-algif-suppress-sending-source-address-informa.patch #CVE-2013-3234 956135 956139 Patch25020: rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch +#CVE-2013-3233 956125 956129 +Patch25021: NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch + # END OF PATCH DEFINITIONS %endif @@ -1590,6 +1593,9 @@ ApplyPatch crypto-algif-suppress-sending-source-address-informa.patch #CVE-2013-3234 956135 956139 ApplyPatch rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch +#CVE-2013-3233 956125 956129 +ApplyPatch NFC-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_re.patch + # END OF PATCH APPLICATIONS %endif @@ -2448,6 +2454,7 @@ fi # || || %changelog * Wed Apr 24 2013 Josh Boyer +- CVE-2013-3233 NFC: llcp: info leaks via msg_name in llcp_sock_recvmsg (rhbz 956125 956129) - CVE-2013-3234 rose: info leak via msg_name in rose_recvmsg (rhbz 956135 956139) - CVE-2013-3076 crypto: algif suppress sending src addr info in recvmsg (rhbz 956162 956168)