From: Eugene Teo <eugene@redhat.com>
Date: Tue, 24 Feb 2009 13:02:24 +0800
Subject: [net] memory disclosure in SO_BSDCOMPAT gsopt
Message-id: 49A37F60.5080003@redhat.com
O-Subject: [RHEL5.4 patch] BZ#486518 kernel: memory disclosure in SO_BSDCOMPAT gsopt [v2]
Bugzilla: 486518
RH-Acked-by: David Miller <davem@redhat.com>
RH-Acked-by: Pete Zaitcev <zaitcev@redhat.com>
RH-Acked-by: Neil Horman <nhorman@redhat.com>
RH-Acked-by: Mikulas Patocka <mpatocka@redhat.com>
RH-Acked-by: Jiri Pirko <jpirko@redhat.com>
RH-Acked-by: Neil Horman <nhorman@redhat.com>
CVE: CVE-2009-0676
This is for bz#486518 (CVE-2009-0676).
In function sock_getsockopt() located in net/core/sock.c, optval v.val
is not correctly initialized and directly returned in userland in case
we have SO_BSDCOMPAT option set.
It includes the suggestion from Mikulas to use memset().
http://marc.info/?l=linux-kernel&m=123540732700371&w=2
http://marc.info/?l=linux-netdev&m=123543237010175&w=2
--
Eugene Teo / Red Hat Security Response Team
diff --git a/net/core/sock.c b/net/core/sock.c
index 51d4ef4..078a24b 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -673,6 +673,8 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
return -EFAULT;
if(len < 0)
return -EINVAL;
+
+ memset(&v, 0, sizeof(v));
switch(optname)
{
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
27922b4260f65d317aabda37e42bbbff
>
files
>
2857
