Red Hat Bugzilla – Bug 918512
kernel: crypto: info leaks in report API
Last modified: 2015-07-31 02:59:34 EDT
Linux kernels built with crypto user APIs are vulnerable to the information
disclosure flaw. It occurs when user calls the `crypto_*_report' APIs via
netlink based crypto API interface.
1) CVE-2013-2546: Structures used for the netlink based crypto report API are
located on the stack. Uninitialised kernel memory bytes from these structures
are leaked, as `snprintf' does not fill the remainder of the buffer with
2) CVE-2013-2547: routine `crypto_report_one' does not initialize all fields of
a structure `struct crypto_user_alg'. Thus, uninitialised heap memory bytes are
leaked to the user space.
3) CVE-2013-2548: while copying kernel module name, we should copy only as many
bytes as module_name() returns and not as much as the destination buffer could
hold. But the current code copies uninitialised data from behind the end of the
module name, as the module name is always shorter than CRYPTO_MAX_ALG_NAME, thus
leaking kernel memory bytes.
A privileged user/program (CAP_NET_ADMIN) could use this flaw to read kernel
These issues do not affect the versions of the kernel package as shipped with
Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.
These issues do affect the version of Linux kernel as shipped with Red Hat
Enterprise MRG 2. Future kernel updates for Red Hat Enterprise MRG 2 may address
Created kernel tracking bugs for this issue
Affects: fedora-all [bug 918521]
kernel-3.8.2-206.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.8.3-103.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
MRG for RHEL-6 v.2
Via RHSA-2013:0829 https://rhn.redhat.com/errata/RHSA-2013-0829.html