Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 14 Apr 2013 14:16:15 +0200
From: Mathias Krause <minipli@...glemail.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: more net info leak fixes for v3.9

A few more info leaks were fixed. Unprivileged users can make use of
flaws in the buggy protocols to leak up to 128 bytes of kernel stack
memory by using recvmsg(2)/recvfrom(2). The root cause for all those
info leaks is described in the following merge commit:

http://git.kernel.org/linus/f89e8a6432409c6cbd5c2b6bb90ea694fd558de3

As sys_recvfrom() and sys_recvmsg() behaved this way since the
introduction of socket address information passing in Linux v1.1.20
(v1.3.16 for recvmsg) the protocols in question are potentially all
vulnerable since there introduction. But I haven't investigated this
any further for any other protocol but ATM and AF_ALG, which are both
indeed vulnerable since there introduction -- v2.3.15pre3 for ATM,
v2.6.38 for AF_ALG.

The fixes are the following:

9b3e617 atm: update msg_namelen in vcc_recvmsg()
http://git.kernel.org/linus/9b3e617f3df53822345a8573b6d358f6b9e5ed87

ef3313e ax25: fix info leak via msg_name in ax25_recvmsg()
http://git.kernel.org/linus/ef3313e84acbf349caecae942ab3ab731471f1a1

4683f42 Bluetooth: fix possible info leak in bt_sock_recvmsg()
http://git.kernel.org/linus/4683f42fde3977bdb4e8a09622788cc8b5313778

e11e045 Bluetooth: RFCOMM - Fix missing msg_namelen update in
rfcomm_sock_recvmsg()
http://git.kernel.org/linus/e11e0455c0d7d3d62276a0c55d9dfbc16779d691

c8c4991 Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg()
http://git.kernel.org/linus/c8c499175f7d295ef867335bceb9a76a2c3cdc38

2d6fbfe caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()
http://git.kernel.org/linus/2d6fbfe733f35c6b355c216644e08e149c61b271

5ae94c0 irda: Fix missing msg_namelen update in irda_recvmsg_dgram()
http://git.kernel.org/linus/5ae94c0d2f0bed41d6718be743985d61b7f5c47d

a5598bd iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()
http://git.kernel.org/linus/a5598bd9c087dc0efc250a5221e5d0e6f584ee88

b860d3c l2tp: fix info leak in l2tp_ip6_recvmsg()
http://git.kernel.org/linus/b860d3cc62877fad02863e2a08efff69a19382d2

c77a4b9c llc: Fix missing msg_namelen update in llc_ui_recvmsg()
http://git.kernel.org/linus/c77a4b9cffb6215a15196ec499490d116dfad181

3ce5efa netrom: fix info leak via msg_name in nr_recvmsg()
http://git.kernel.org/linus/3ce5efad47b62c57a4f5c54248347085a750ce0e
needs also:
c802d75 netrom: fix invalid use of sizeof in nr_recvmsg()
http://git.kernel.org/linus/c802d759623acbd6e1ee9fbdabae89159a513913

d26d650 NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()
http://git.kernel.org/linus/d26d6504f23e803824e8ebd14e52d4fc0a0b09cb

4a18423 rose: fix info leak via msg_name in rose_recvmsg()
http://git.kernel.org/linus/4a184233f21645cf0b719366210ed445d1024d72

60085c3 tipc: fix info leaks via msg_name in recv_msg/recv_stream
http://git.kernel.org/linus/60085c3d009b0df252547adb336d1ccca5ce52ec

680d04e VSOCK: vmci - fix possible info leak in vmci_transport_dgram_dequeue()
http://git.kernel.org/linus/680d04e0ba7e926233e3b9cee59125ce181f66ba

d5e0d0f VSOCK: Fix missing msg_namelen update in vsock_stream_recvmsg()
http://git.kernel.org/linus/d5e0d0f607a7a029c6563a0470d88255c89a8d11

Still lurking in crypto-2.6.git is the fix for AF_ALG:
72a763d crypto: algif - suppress sending source address information in recvmsg
https://git.kernel.org/cgit/linux/kernel/git/herbert/crypto-2.6.git/commit/?id=72a763d805a48ac8c0bf48fdb510e84c12de51fe

All of the above commits are scheduled for the appropriate stable and
longterm kernels.

Regards,
Mathias

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ