Bug 519305 - (CVE-2009-3001, CVE-2009-3002) CVE-2009-3001, CVE-2009-3002 kernel: numerous getname() infoleaks
CVE-2009-3001, CVE-2009-3002 kernel: numerous getname() infoleaks
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=lkml,reported...
: Security
Depends On: 519306 519307 519308 519309 519310 520292
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-25 21:50 EDT by Eugene Teo (Security Response)
Modified: 2010-12-21 14:02 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-21 14:02:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2009-08-25 21:50:18 EDT
Description of problem:
1) NET: llc, zero sockaddr_llc struct
sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc before copying to the above layer's structure.

http://git.kernel.org/linus/3480c63bdf008e9289aab94418f43b9592978fff
http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc
http://milw0rm.com/exploits/9513

Note that LLC sockets are restricted to root since v2.6.25-rc9 (see commit 3480c63b).

2) can: Fix raw_getname() leak
raw_getname() can leak 10 bytes of kernel memory to user

http://git.kernel.org/linus/e84b90ae5eb3c112d1f208964df1d8156a538289

Note that this was introduced in v2.6.25-rc1.

3) irda: Fix irda_getname() leak
irda_getname() can leak kernel memory to user.

http://git.kernel.org/linus/09384dfc76e526c3993c09c42e016372dc9dd22c

4) appletalk: fix atalk_getname() leak
atalk_getname() can leak 8 bytes of kernel memory to user

http://git.kernel.org/linus/3d392475c873c10c10d6d96b94d092a34ebd4791
http://milw0rm.com/exploits/9521

5) netrom: Fix nr_getname() leak
nr_getname() can leak kernel memory to user.

http://git.kernel.org/linus/f6b97b29513950bfbf621a83d85b6f86b39ec8db

6) econet: Fix econet_getname() leak
econet_getname() can leak kernel memory to user.

http://git.kernel.org/linus/80922bbb12a105f858a8f0abb879cb4302d0ecaa

7) rose: Fix rose_getname() leak
rose_getname() can leak kernel memory to user.

http://git.kernel.org/linus/17ac2e9c58b69a1e25460a568eae1b0dc0188c25

CVE request:
http://article.gmane.org/gmane.comp.security.oss.general/2029
http://article.gmane.org/gmane.comp.security.oss.general/2033
Comment 3 Eugene Teo (Security Response) 2009-08-25 22:26:10 EDT
1602 SYSCALL_DEFINE3(getsockname, int, fd, struct sockaddr __user *, usockaddr,
1603         int __user *, usockaddr_len)
1604 {
[...]
1617     err = sock->ops->getname(sock, (struct sockaddr *)&address, &len, 0);
1618     if (err)
1619         goto out_put;
1620     err = move_addr_to_user((struct sockaddr *)&address, len, usockaddr, usockaddr_len);

1101 static const struct proto_ops llc_ui_ops = {
[...]
1109     .getname     = llc_ui_getname,

 909 static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr,
 910               int *uaddrlen, int peer)
 911 {
[...]
 917     memset(&sllc, 0, sizeof(sllc)); <-- missing
 918     lock_sock(sk);
 919     if (sock_flag(sk, SOCK_ZAPPED))
 920         goto out;
 921     *uaddrlen = sizeof(sllc);
 922     memset(uaddr, 0, *uaddrlen);
[...]

 141 /**
 142  *  llc_ui_create - alloc and init a new llc_ui socket
[...]
 150 static int llc_ui_create(struct net *net, struct socket *sock, int protocol)
 151 {
[...]
 155     if (!capable(CAP_NET_RAW)) <-- >= v2.6.25-rc9
 156         return -EPERM;
Comment 5 Vincent Danen 2009-08-28 13:49:37 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3001 to
the following vulnerability:

Name: CVE-2009-3001
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3001
Assigned: 20090828
Reference: MILW0RM:9513
Reference: URL: http://www.milw0rm.com/exploits/9513
Reference: MLIST:[oss-security] 20090826 CVE request: kernel: AF_LLC getsockname 5-Byte Stack Disclosure
Reference: URL: http://www.openwall.com/lists/oss-security/2009/08/26/1
Reference: MISC: http://jon.oberheide.org/files/llc-getsockname-leak.c
Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=28e9fc592cb8c7a43e4d3147b38be6032a0e81bc
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=519305
Reference: BID:36126
Reference: URL: http://www.securityfocus.com/bid/36126
Reference: XF:linux-kernel-afllcgetsockname-info-disc(52732)
Reference: URL: http://xforce.iss.net/xforce/xfdb/52732

The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel
2.6.31-rc7 and earlier does not initialize a certain data structure,
which allows local users to read the contents of some kernel memory
locations by calling getsockname on an AF_LLC socket.
Comment 6 Vincent Danen 2009-08-28 13:52:20 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3002 to
the following vulnerability:

Name: CVE-2009-3002
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3002
Assigned: 20090828
Reference: MILW0RM:9521
Reference: URL: http://www.milw0rm.com/exploits/9521
Reference: MLIST:[oss-security] 20090827 Re: CVE request: kernel: AF_LLC getsockname 5-Byte Stack Disclosure
Reference: URL: http://www.openwall.com/lists/oss-security/2009/08/27/1
Reference: MLIST:[oss-security] 20090827 Re: CVE request: kernel: AF_LLC getsockname 5-Byte Stack Disclosure
Reference: URL: http://www.openwall.com/lists/oss-security/2009/08/27/2
Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=09384dfc76e526c3993c09c42e016372dc9dd22c
Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=17ac2e9c58b69a1e25460a568eae1b0dc0188c25
Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3d392475c873c10c10d6d96b94d092a34ebd4791
Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=80922bbb12a105f858a8f0abb879cb4302d0ecaa
Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e84b90ae5eb3c112d1f208964df1d8156a538289
Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f6b97b29513950bfbf621a83d85b6f86b39ec8db
Reference: CONFIRM: http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc7
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=519305
Reference: BID:36150
Reference: URL: http://www.securityfocus.com/bid/36150
Reference: SECUNIA:36438
Reference: URL: http://secunia.com/advisories/36438

The Linux kernel before 2.6.31-rc7 does not initialize certain data
structures within getname functions, which allows local users to read
the contents of some kernel memory locations by calling getsockname on
(1) an AF_APPLETALK socket, related to the atalk_getname function in
net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the
irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket,
related to the econet_getname function in net/econet/af_econet.c; (4)
an AF_NETROM socket, related to the nr_getname function in
net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the
rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket,
related to the raw_getname function in net/can/raw.c.
Comment 9 Eugene Teo (Security Response) 2009-09-07 01:17:12 EDT
CVE-2009-3001

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3001

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for PF_LLC sockets in the Linux kernels.


CVE-2009-3002

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3002

CVE-2009-3002 describes a collection of similar information leaks that affect numerous networking protocols.

The raw_getname() leak was introduced in the Linux kernel version 2.6.25-rc1. The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG did not have a backport of this patch, and therefore are not affected by this issue.

The Linux kernel as shipped with Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG did not enable support for IrDA sockets, and therefore are not affected by this issue. A future kernel update for Red Hat Enterprise Linux 3 will address this flaw.

The Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 did not enable support for the AppleTalk DDP protocol, and therefore are not affected by this issue. Future kernel updates for Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG will address this flaw.

The Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG did not enable support for the NET/ROM and ROSE protocols, and therefore are not affected by this issue. Future kernel updates for Red Hat Enterprise Linux 3 will address this flaw.

And finally, the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG did not enable support for the Acorn Econet and AUN protocols, and therefore are not affected by this issue.

Updated: September 15th, 2009
Comment 10 Fedora Update System 2009-10-02 07:00:22 EDT
kernel-2.6.27.35-170.2.94.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.35-170.2.94.fc10
Comment 11 Fedora Update System 2009-10-03 14:55:59 EDT
kernel-2.6.27.35-170.2.94.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 errata-xmlrpc 2009-11-03 13:21:17 EST
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1540 https://rhn.redhat.com/errata/RHSA-2009-1540.html
Comment 14 errata-xmlrpc 2009-11-03 17:03:28 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1550 https://rhn.redhat.com/errata/RHSA-2009-1550.html

Note You need to log in before you can comment on or make changes to this bug.