Bug 918512 (CVE-2013-2546, CVE-2013-2547, CVE-2013-2548)

Summary: kernel: crypto: info leaks in report API
Product: [Other] Security Response Reporter: Prasad J Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agordeev, anton, bhu, davej, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jonathan, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, mcressma, plougher, pmatouse, rt-maint, rvrbovsk, sforsber, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20130205,reported=20130305,source=oss-security,cvss2=1/AV:L/AC:H/Au:S/C:P/I:N/A:N,rhel-5/kernel=notaffected,rhel-6/kernel=notaffected,mrg-2/realtime-kernel=affected,fedora-all/kernel=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-10 05:40:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 918519, 918520, 918521    
Bug Blocks: 918391    

Description Prasad J Pandit 2013-03-06 12:33:35 UTC
Linux kernels built with crypto user APIs are vulnerable to the information
disclosure flaw. It occurs when user calls the `crypto_*_report' APIs via
netlink based crypto API interface.

1) CVE-2013-2546: Structures used for the netlink based crypto report API are
located on the stack. Uninitialised kernel memory bytes from these structures
are leaked, as `snprintf' does not fill the remainder of the buffer with
zero(NULL) bytes.

2) CVE-2013-2547: routine `crypto_report_one' does not initialize all fields of
a structure `struct crypto_user_alg'. Thus, uninitialised heap memory bytes are
leaked to the user space.

3) CVE-2013-2548: while copying kernel module name, we should copy only as many
bytes as module_name() returns and not as much as the destination buffer could
hold. But the current code copies uninitialised data from behind the end of the
module name, as the module name is always shorter than CRYPTO_MAX_ALG_NAME, thus
leaking kernel memory bytes.

A privileged user/program (CAP_NET_ADMIN) could use this flaw to read kernel
memory area.

Upstream fix:
 -> https://git.kernel.org/linus/9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6

Comment 1 Prasad J Pandit 2013-03-06 12:48:54 UTC

These issues do not affect the versions of the kernel package as shipped with
Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. 

These issues do affect the version of Linux kernel as shipped with Red Hat
Enterprise MRG 2. Future kernel updates for Red Hat Enterprise MRG 2 may address
this issue.

Comment 3 Prasad J Pandit 2013-03-06 13:00:17 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 918521]

Comment 4 Fedora Update System 2013-03-11 01:24:06 UTC
kernel-3.8.2-206.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2013-03-22 00:19:46 UTC
kernel-3.8.3-103.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 errata-xmlrpc 2013-05-20 16:50:06 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:0829 https://rhn.redhat.com/errata/RHSA-2013-0829.html