Bug 649715 (CVE-2010-3876)

Summary: CVE-2010-3876 kernel: net/packet/af_packet.c: reading uninitialized stack memory
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: arozansk, bhu, dhoward, fhrbata, jkacur, jolsa, lgoncalv, peterm, plyons, rkhan, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:15:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 649894, 649895, 649896, 649897, 649898, 649899, 649900    
Bug Blocks:    

Description Petr Matousek 2010-11-04 12:08:00 UTC 
Description of problem:
packet_getname_spkt() doesn't initialize all members of sa_data field of sockaddr struct if strlen(dev->name) < 13.  This structure is then copied to userland.  It leads to leaking of contents of kernel stack memory. We have to fully fill sa_data with strncpy() instead of strlcpy().

The same with packet_getname(): it doesn't initialize sll_pkttype field of sockaddr_ll.  Set it to zero.


Reference:
http://marc.info/?l=linux-netdev&m=128854507220908&w=2
http://seclists.org/oss-sec/2010/q4/94

Acknowledgements:

Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting this issue.
Comment 2 Petr Matousek 2010-11-04 18:53:00 UTC 
Statement:

This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to
this product being in Extended Life Cycle Phase of its maintenance life-cycle,
where only qualified security errata of critical impact are addressed.

For further information about the Errata Support Policy, visit:
http://www.redhat.com/security/updates/errata
Comment 3 Jiri Pirko 2010-11-13 08:11:44 UTC 
upstream commit:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=67286640f638f5ad41a946b9a3dc75327950248f
Comment 4 errata-xmlrpc 2010-12-08 19:10:16 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0958 https://rhn.redhat.com/errata/RHSA-2010-0958.html
Comment 5 errata-xmlrpc 2011-01-04 16:53:26 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0004 https://rhn.redhat.com/errata/RHSA-2011-0004.html
Comment 6 errata-xmlrpc 2011-01-11 19:46:48 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0007 https://rhn.redhat.com/errata/RHSA-2011-0007.html
Comment 7 errata-xmlrpc 2011-01-18 17:46:00 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0162 https://rhn.redhat.com/errata/RHSA-2011-0162.html