From 583f2ea58f6b26794f0f4b9cf780a718a6e727d1 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Apr 24 2013 12:23:54 +0000
Subject: CVE-2013-3076 crypto: algif suppress sending src addr info in recvmsg (rhbz 956162 956168)


---

diff --git a/crypto-algif-suppress-sending-source-address-informa.patch b/crypto-algif-suppress-sending-source-address-informa.patch
new file mode 100644
index 0000000..3484c25
--- /dev/null
+++ b/crypto-algif-suppress-sending-source-address-informa.patch
@@ -0,0 +1,46 @@
+From 72a763d805a48ac8c0bf48fdb510e84c12de51fe Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 14:05:39 +0200
+Subject: [PATCH] crypto: algif - suppress sending source address information
+ in recvmsg
+
+The current code does not set the msg_namelen member to 0 and therefore
+makes net/socket.c leak the local sockaddr_storage variable to userland
+-- 128 bytes of kernel stack memory. Fix that.
+
+Cc: <stable@vger.kernel.org> # 2.6.38
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+---
+ crypto/algif_hash.c     | 2 ++
+ crypto/algif_skcipher.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
+index ef5356c..0262210 100644
+--- a/crypto/algif_hash.c
++++ b/crypto/algif_hash.c
+@@ -161,6 +161,8 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock,
+ 	else if (len < ds)
+ 		msg->msg_flags |= MSG_TRUNC;
+ 
++	msg->msg_namelen = 0;
++
+ 	lock_sock(sk);
+ 	if (ctx->more) {
+ 		ctx->more = 0;
+diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
+index 6a6dfc0..a1c4f0a 100644
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -432,6 +432,7 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock,
+ 	long copied = 0;
+ 
+ 	lock_sock(sk);
++	msg->msg_namelen = 0;
+ 	for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
+ 	     iovlen--, iov++) {
+ 		unsigned long seglen = iov->iov_len;
+-- 
+1.8.1.4
+
diff --git a/kernel.spec b/kernel.spec
index 072773c..c76f250 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -798,6 +798,9 @@ Patch25017: Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
 #CVE-2013-3223 rhbz 955662 955666
 Patch25018: ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
 
+#CVE-2013-3076 956162 956168
+Patch25019: crypto-algif-suppress-sending-source-address-informa.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1554,6 +1557,9 @@ ApplyPatch Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
 #CVE-2013-3223 rhbz 955662 955666
 ApplyPatch ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
 
+#CVE-2013-3076 956162 956168
+ApplyPatch crypto-algif-suppress-sending-source-address-informa.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2410,6 +2416,9 @@ fi
 #    '-'      |  |
 #              '-'
 %changelog
+* Wed Apr 24 2013 Josh Boyer <jwboyer@redhat.com>
+- CVE-2013-3076 crypto: algif suppress sending src addr info in recvmsg (rhbz 956162 956168)
+
 * Tue Apr 23 2013 Josh Boyer <jwboyer@redhat.com>
 - CVE-2013-3223 ax25: information leak via msg_name in ax25_recvmsg (rhbz 955662 955666)
 - CVE-2013-3225 Bluetooth: RFCOMM missing msg_namelen update in rfcomm_sock_recvmsg (rhbz 955649 955658)