Bug 486305 (CVE-2009-0676) - CVE-2009-0676 kernel: memory disclosure in SO_BSDCOMPAT gsopt
Summary: CVE-2009-0676 kernel: memory disclosure in SO_BSDCOMPAT gsopt
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-0676
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 486514 486515 486516 486517 486518
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-19 10:18 UTC by Eugene Teo (Security Response)
Modified: 2019-09-29 12:28 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-30 23:36:24 UTC
Embargoed:

Attachments (Terms of Use)
Upstream patch (1.38 KB, patch)
2009-02-19 10:32 UTC, Eugene Teo (Security Response) 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0326 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-04-01 08:28:02 UTC
Red Hat Product Errata RHSA-2009:0360 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2009-03-27 00:15:06 UTC
Red Hat Product Errata RHSA-2009:0459 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-04-30 21:24:29 UTC

Description Eugene Teo (Security Response) 2009-02-19 10:18:20 UTC 
From Clement Lecigne:
In function sock_getsockopt() located in net/core/sock.c, optval v.val is not correctly initialized and directly returned in userland in case we have SO_BSDCOMPAT option set.

This dummy code should trigger the bug:

int main(void)
{
	unsigned char buf[4] = { 0, 0, 0, 0 };
	int len;
	int sock;
	sock = socket(33, 2, 2);
	getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
	printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
	close(sock);
}

References:
http://lkml.org/lkml/2009/2/11/374
http://lkml.org/lkml/2009/2/12/123
http://patchwork.kernel.org/patch/6816/
Comment 1 Eugene Teo (Security Response) 2009-02-19 10:32:27 UTC 
Created attachment 332522 [details]
Upstream patch

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=df0bca049d01c0ee94afb7cd5dfd959541e6c8da
Comment 3 Eugene Teo (Security Response) 2009-02-20 04:50:21 UTC 
This is a small infoleak. Do test the return values of socket() and getsockopt() in your testcase. You should be able to see the warning "process 'reproducer' is using obsolete getsockopt SO_BSDCOMPAT" in /var/log/messages.

sock = socket(2, 2, 0);
err = getsockopt(sock, 1 /* SOL_SOCKET */, SO_BSDCOMPAT, &buf, &len);

SYSCALL_DEFINE5(getsockopt, int, fd, int, level, int, optname,
                char __user *, optval, int __user *, optlen)
{
[...]
                if (level == SOL_SOCKET)
                        err =
                            sock_getsockopt(sock, level, optname, optval,
                                            optlen);
Comment 4 Eugene Teo (Security Response) 2009-02-24 02:32:02 UTC 
net: amend the fix for SO_BSDCOMPAT gsopt infoleak
http://marc.info/?l=linux-kernel&m=123540732700371&w=2
http://marc.info/?l=linux-netdev&m=123543237010175&w=2
Comment 5 Eugene Teo (Security Response) 2009-02-25 02:07:48 UTC 
(In reply to comment #4)
> net: amend the fix for SO_BSDCOMPAT gsopt infoleak
> http://marc.info/?l=linux-kernel&m=123540732700371&w=2
> http://marc.info/?l=linux-netdev&m=123543237010175&w=2

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=50fee1dec5d71b8a14c1b82f2f42e16adc227f8b
Comment 7 Eugene Teo (Security Response) 2009-03-19 04:11:24 UTC 
CVSS2 score of low, 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Comment 8 errata-xmlrpc 2009-03-27 00:14:47 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:0360 https://rhn.redhat.com/errata/RHSA-2009-0360.html
Comment 9 errata-xmlrpc 2009-04-01 08:30:59 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0326 https://rhn.redhat.com/errata/RHSA-2009-0326.html
Comment 11 errata-xmlrpc 2009-04-30 21:25:03 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:0459 https://rhn.redhat.com/errata/RHSA-2009-0459.html
Note You need to log in before you can comment on or make changes to this bug.