Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 14 Apr 2013 14:16:15 +0200
From: Mathias Krause <minipli@...glemail.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: more net info leak fixes for v3.9

A few more info leaks were fixed. Unprivileged users can make use of
flaws in the buggy protocols to leak up to 128 bytes of kernel stack
memory by using recvmsg(2)/recvfrom(2). The root cause for all those
info leaks is described in the following merge commit:

http://git.kernel.org/linus/f89e8a6432409c6cbd5c2b6bb90ea694fd558de3

As sys_recvfrom() and sys_recvmsg() behaved this way since the
introduction of socket address information passing in Linux v1.1.20
(v1.3.16 for recvmsg) the protocols in question are potentially all
vulnerable since there introduction. But I haven't investigated this
any further for any other protocol but ATM and AF_ALG, which are both
indeed vulnerable since there introduction -- v2.3.15pre3 for ATM,
v2.6.38 for AF_ALG.

The fixes are the following:

9b3e617 atm: update msg_namelen in vcc_recvmsg()
http://git.kernel.org/linus/9b3e617f3df53822345a8573b6d358f6b9e5ed87

ef3313e ax25: fix info leak via msg_name in ax25_recvmsg()
http://git.kernel.org/linus/ef3313e84acbf349caecae942ab3ab731471f1a1

4683f42 Bluetooth: fix possible info leak in bt_sock_recvmsg()
http://git.kernel.org/linus/4683f42fde3977bdb4e8a09622788cc8b5313778

e11e045 Bluetooth: RFCOMM - Fix missing msg_namelen update in
rfcomm_sock_recvmsg()
http://git.kernel.org/linus/e11e0455c0d7d3d62276a0c55d9dfbc16779d691

c8c4991 Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg()
http://git.kernel.org/linus/c8c499175f7d295ef867335bceb9a76a2c3cdc38

2d6fbfe caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()
http://git.kernel.org/linus/2d6fbfe733f35c6b355c216644e08e149c61b271

5ae94c0 irda: Fix missing msg_namelen update in irda_recvmsg_dgram()
http://git.kernel.org/linus/5ae94c0d2f0bed41d6718be743985d61b7f5c47d

a5598bd iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()
http://git.kernel.org/linus/a5598bd9c087dc0efc250a5221e5d0e6f584ee88

b860d3c l2tp: fix info leak in l2tp_ip6_recvmsg()
http://git.kernel.org/linus/b860d3cc62877fad02863e2a08efff69a19382d2

c77a4b9c llc: Fix missing msg_namelen update in llc_ui_recvmsg()
http://git.kernel.org/linus/c77a4b9cffb6215a15196ec499490d116dfad181

3ce5efa netrom: fix info leak via msg_name in nr_recvmsg()
http://git.kernel.org/linus/3ce5efad47b62c57a4f5c54248347085a750ce0e
needs also:
c802d75 netrom: fix invalid use of sizeof in nr_recvmsg()
http://git.kernel.org/linus/c802d759623acbd6e1ee9fbdabae89159a513913

d26d650 NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()
http://git.kernel.org/linus/d26d6504f23e803824e8ebd14e52d4fc0a0b09cb

4a18423 rose: fix info leak via msg_name in rose_recvmsg()
http://git.kernel.org/linus/4a184233f21645cf0b719366210ed445d1024d72

60085c3 tipc: fix info leaks via msg_name in recv_msg/recv_stream
http://git.kernel.org/linus/60085c3d009b0df252547adb336d1ccca5ce52ec

680d04e VSOCK: vmci - fix possible info leak in vmci_transport_dgram_dequeue()
http://git.kernel.org/linus/680d04e0ba7e926233e3b9cee59125ce181f66ba

d5e0d0f VSOCK: Fix missing msg_namelen update in vsock_stream_recvmsg()
http://git.kernel.org/linus/d5e0d0f607a7a029c6563a0470d88255c89a8d11

Still lurking in crypto-2.6.git is the fix for AF_ALG:
72a763d crypto: algif - suppress sending source address information in recvmsg
https://git.kernel.org/cgit/linux/kernel/git/herbert/crypto-2.6.git/commit/?id=72a763d805a48ac8c0bf48fdb510e84c12de51fe

All of the above commits are scheduled for the appropriate stable and
longterm kernels.

Regards,
Mathias

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.