Bug 820039 (CVE-2012-3430)

Summary: CVE-2012-3430 kernel: recv{from,msg}() on an rds socket can leak kernel memory
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agordeev, anton, arozansk, davej, dhoward, fenlason, fhrbata, gansalmon, gary.p.anderson, itamar, jforbes, jonathan, jwboyer, kernel-maint, kernel-mgr, lwang, madhu.chinakonda, pmatouse, security-response-team, sforsber, wpan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120723,reported=20120508,source=redhat,cvss2=2.1/AV:L/AC:L/Au:N/C:P/I:N/A:N,rhel-4/kernel=wontfix,rhel-5/kernel=affected,rhel-6/kernel=affected,mrg-2.1/realtime-kernel=notaffected,mrg-2.2/realtime-kernel=affected,fedora-all/kernel=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-24 08:52:52 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 822727, 822728, 822729, 822731, 843553, 843554    
Bug Blocks: 819767    

Description Eugene Teo (Security Response) 2012-05-08 20:43:22 EDT
Two similar issues:

1) Reported by Jay Fenlason and Doug Ledford:
recvfrom() on an RDS socket can disclose sizeof(struct sockaddr_storage)-sizeof(struct sockaddr_in) bytes of kernel stack to userspace when receiving a datagram.

2) Reported by Jay Fenlason:
recv{from,msg}() on an RDS socket can disclose sizeof(struct sockaddr_storage)
bytes of kernel stack to userspace when other code paths are taken.
Comment 5 Petr Matousek 2012-07-26 11:26:38 EDT
Statement:

The Red Hat Security Response Team has rated this issue as having low security 
impact. A future kernel updates may address this issue. For additional 
information, refer to the Issue Severity Classification:
https://access.redhat.com/security/updates/classification/.
Comment 7 Petr Matousek 2012-07-26 11:28:09 EDT
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 843554]
Comment 12 Fedora Update System 2012-08-05 17:24:52 EDT
kernel-3.4.7-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Murray McAllister 2012-09-24 07:05:01 EDT
Acknowledgements:

This issue was discovered by the Red Hat InfiniBand team.
Comment 14 errata-xmlrpc 2012-09-25 14:59:47 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1304 https://rhn.redhat.com/errata/RHSA-2012-1304.html
Comment 15 Gary Anderson 2012-10-01 13:01:23 EDT
The statement from Petr Matousek on July 29th states that RHEL 5 is affected by this issue.  Is there any current release or estimated release date for the RHEL 5 resolution/fix?
Comment 16 Petr Matousek 2012-10-02 05:22:45 EDT
(In reply to comment #15)
> The statement from Petr Matousek on July 29th states that RHEL 5 is affected
> by this issue.  Is there any current release or estimated release date for
> the RHEL 5 resolution/fix?

Hello, Gary.

Today we are going to release a regular kernel update for Red Hat Enterprise Linux 5 that fixes this issue.

Best regards,
--
Petr Matousek / Red Hat Security Response Team
Comment 17 errata-xmlrpc 2012-10-02 13:45:19 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1323 https://rhn.redhat.com/errata/RHSA-2012-1323.html
Comment 18 errata-xmlrpc 2012-12-04 14:58:20 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:1491 https://rhn.redhat.com/errata/RHSA-2012-1491.html