Description of problem: 1) NET: llc, zero sockaddr_llc struct sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc before copying to the above layer's structure. http://git.kernel.org/linus/3480c63bdf008e9289aab94418f43b9592978fff http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc http://milw0rm.com/exploits/9513 Note that LLC sockets are restricted to root since v2.6.25-rc9 (see commit 3480c63b). 2) can: Fix raw_getname() leak raw_getname() can leak 10 bytes of kernel memory to user http://git.kernel.org/linus/e84b90ae5eb3c112d1f208964df1d8156a538289 Note that this was introduced in v2.6.25-rc1. 3) irda: Fix irda_getname() leak irda_getname() can leak kernel memory to user. http://git.kernel.org/linus/09384dfc76e526c3993c09c42e016372dc9dd22c 4) appletalk: fix atalk_getname() leak atalk_getname() can leak 8 bytes of kernel memory to user http://git.kernel.org/linus/3d392475c873c10c10d6d96b94d092a34ebd4791 http://milw0rm.com/exploits/9521 5) netrom: Fix nr_getname() leak nr_getname() can leak kernel memory to user. http://git.kernel.org/linus/f6b97b29513950bfbf621a83d85b6f86b39ec8db 6) econet: Fix econet_getname() leak econet_getname() can leak kernel memory to user. http://git.kernel.org/linus/80922bbb12a105f858a8f0abb879cb4302d0ecaa 7) rose: Fix rose_getname() leak rose_getname() can leak kernel memory to user. http://git.kernel.org/linus/17ac2e9c58b69a1e25460a568eae1b0dc0188c25 CVE request: http://article.gmane.org/gmane.comp.security.oss.general/2029 http://article.gmane.org/gmane.comp.security.oss.general/2033
1602 SYSCALL_DEFINE3(getsockname, int, fd, struct sockaddr __user *, usockaddr, 1603 int __user *, usockaddr_len) 1604 { [...] 1617 err = sock->ops->getname(sock, (struct sockaddr *)&address, &len, 0); 1618 if (err) 1619 goto out_put; 1620 err = move_addr_to_user((struct sockaddr *)&address, len, usockaddr, usockaddr_len); 1101 static const struct proto_ops llc_ui_ops = { [...] 1109 .getname = llc_ui_getname, 909 static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr, 910 int *uaddrlen, int peer) 911 { [...] 917 memset(&sllc, 0, sizeof(sllc)); <-- missing 918 lock_sock(sk); 919 if (sock_flag(sk, SOCK_ZAPPED)) 920 goto out; 921 *uaddrlen = sizeof(sllc); 922 memset(uaddr, 0, *uaddrlen); [...] 141 /** 142 * llc_ui_create - alloc and init a new llc_ui socket [...] 150 static int llc_ui_create(struct net *net, struct socket *sock, int protocol) 151 { [...] 155 if (!capable(CAP_NET_RAW)) <-- >= v2.6.25-rc9 156 return -EPERM;
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3001 to the following vulnerability: Name: CVE-2009-3001 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3001 Assigned: 20090828 Reference: MILW0RM:9513 Reference: URL: http://www.milw0rm.com/exploits/9513 Reference: MLIST:[oss-security] 20090826 CVE request: kernel: AF_LLC getsockname 5-Byte Stack Disclosure Reference: URL: http://www.openwall.com/lists/oss-security/2009/08/26/1 Reference: MISC: http://jon.oberheide.org/files/llc-getsockname-leak.c Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=28e9fc592cb8c7a43e4d3147b38be6032a0e81bc Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=519305 Reference: BID:36126 Reference: URL: http://www.securityfocus.com/bid/36126 Reference: XF:linux-kernel-afllcgetsockname-info-disc(52732) Reference: URL: http://xforce.iss.net/xforce/xfdb/52732 The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel 2.6.31-rc7 and earlier does not initialize a certain data structure, which allows local users to read the contents of some kernel memory locations by calling getsockname on an AF_LLC socket.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3002 to the following vulnerability: Name: CVE-2009-3002 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3002 Assigned: 20090828 Reference: MILW0RM:9521 Reference: URL: http://www.milw0rm.com/exploits/9521 Reference: MLIST:[oss-security] 20090827 Re: CVE request: kernel: AF_LLC getsockname 5-Byte Stack Disclosure Reference: URL: http://www.openwall.com/lists/oss-security/2009/08/27/1 Reference: MLIST:[oss-security] 20090827 Re: CVE request: kernel: AF_LLC getsockname 5-Byte Stack Disclosure Reference: URL: http://www.openwall.com/lists/oss-security/2009/08/27/2 Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=09384dfc76e526c3993c09c42e016372dc9dd22c Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=17ac2e9c58b69a1e25460a568eae1b0dc0188c25 Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3d392475c873c10c10d6d96b94d092a34ebd4791 Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=80922bbb12a105f858a8f0abb879cb4302d0ecaa Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e84b90ae5eb3c112d1f208964df1d8156a538289 Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f6b97b29513950bfbf621a83d85b6f86b39ec8db Reference: CONFIRM: http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc7 Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=519305 Reference: BID:36150 Reference: URL: http://www.securityfocus.com/bid/36150 Reference: SECUNIA:36438 Reference: URL: http://secunia.com/advisories/36438 The Linux kernel before 2.6.31-rc7 does not initialize certain data structures within getname functions, which allows local users to read the contents of some kernel memory locations by calling getsockname on (1) an AF_APPLETALK socket, related to the atalk_getname function in net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket, related to the econet_getname function in net/econet/af_econet.c; (4) an AF_NETROM socket, related to the nr_getname function in net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket, related to the raw_getname function in net/can/raw.c.
CVE-2009-3001 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3001 Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for PF_LLC sockets in the Linux kernels. CVE-2009-3002 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3002 CVE-2009-3002 describes a collection of similar information leaks that affect numerous networking protocols. The raw_getname() leak was introduced in the Linux kernel version 2.6.25-rc1. The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG did not have a backport of this patch, and therefore are not affected by this issue. The Linux kernel as shipped with Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG did not enable support for IrDA sockets, and therefore are not affected by this issue. A future kernel update for Red Hat Enterprise Linux 3 will address this flaw. The Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 did not enable support for the AppleTalk DDP protocol, and therefore are not affected by this issue. Future kernel updates for Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG will address this flaw. The Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG did not enable support for the NET/ROM and ROSE protocols, and therefore are not affected by this issue. Future kernel updates for Red Hat Enterprise Linux 3 will address this flaw. And finally, the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG did not enable support for the Acorn Econet and AUN protocols, and therefore are not affected by this issue. Updated: September 15th, 2009
kernel-2.6.27.35-170.2.94.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/kernel-2.6.27.35-170.2.94.fc10
kernel-2.6.27.35-170.2.94.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2009:1540 https://rhn.redhat.com/errata/RHSA-2009-1540.html
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2009:1550 https://rhn.redhat.com/errata/RHSA-2009-1550.html