From a26d52b3e962286a663a9b8c50eddfa79da40ae2 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: May 05 2016 12:51:54 +0000 Subject: CVE-2016-4486 CVE-2016-4485 info leaks (rhbz 1333316 1333309 1333321) --- diff --git a/kernel.spec b/kernel.spec index baa9cb2..067664e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -623,6 +623,10 @@ Patch703: mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch #CVE-2016-4482 rhbz 1332931 1332932 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch +#CVE-2016-4486 CVE-2016-4485 rhbz 1333316 1333309 1333321 +Patch707: net-fix-infoleak-in-llc.patch +Patch708: net-fix-infoleak-in-rtnetlink.patch + # END OF PATCH DEFINITIONS %endif @@ -2148,6 +2152,9 @@ fi # # %changelog +* Thu May 05 2016 Josh Boyer +- CVE-2016-4486 CVE-2016-4485 info leaks (rhbz 1333316 1333309 1333321) + * Wed May 04 2016 Josh Boyer - 4.6.0-0.rc6.git2.1 - Linux v4.6-rc6-113-g83858a701cf3 - Enable NFC_NXP_NCI options (rhbz 1290556) diff --git a/net-fix-infoleak-in-llc.patch b/net-fix-infoleak-in-llc.patch new file mode 100644 index 0000000..38f0d50 --- /dev/null +++ b/net-fix-infoleak-in-llc.patch @@ -0,0 +1,32 @@ +From ec0de35ded8c4a8588290a1b442aa3aa4bdf4de1 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:35:05 -0400 +Subject: [PATCH 2/2] net: fix infoleak in llc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “info” has a total size of 12 bytes. Its last byte +is padding which is not initialized and leaked via “put_cmsg”. + +Signed-off-by: Kangjie Lu +Signed-off-by: David S. Miller +--- + net/llc/af_llc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index b3c52e3f689a..8ae3ed97d95c 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb) + if (llc->cmsg_flags & LLC_CMSG_PKTINFO) { + struct llc_pktinfo info; + ++ memset(&info, 0, sizeof(info)); + info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex; + llc_pdu_decode_dsap(skb, &info.lpi_sap); + llc_pdu_decode_da(skb, info.lpi_mac); +-- +2.5.5 + diff --git a/net-fix-infoleak-in-rtnetlink.patch b/net-fix-infoleak-in-rtnetlink.patch new file mode 100644 index 0000000..0da3510 --- /dev/null +++ b/net-fix-infoleak-in-rtnetlink.patch @@ -0,0 +1,50 @@ +From 55a8a812d867ec9953bde7d86eef255a1abbf93e Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:46:24 -0400 +Subject: [PATCH 1/2] net: fix infoleak in rtnetlink +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “map” has a total size of 32 bytes. Its last 4 +bytes are padding generated by compiler. These padding bytes are +not initialized and sent out via “nla_put”. + +Signed-off-by: Kangjie Lu +Signed-off-by: David S. Miller +--- + net/core/rtnetlink.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index a75f7e94b445..65763c29f845 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1180,14 +1180,16 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, + + static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev) + { +- struct rtnl_link_ifmap map = { +- .mem_start = dev->mem_start, +- .mem_end = dev->mem_end, +- .base_addr = dev->base_addr, +- .irq = dev->irq, +- .dma = dev->dma, +- .port = dev->if_port, +- }; ++ struct rtnl_link_ifmap map; ++ ++ memset(&map, 0, sizeof(map)); ++ map.mem_start = dev->mem_start; ++ map.mem_end = dev->mem_end; ++ map.base_addr = dev->base_addr; ++ map.irq = dev->irq; ++ map.dma = dev->dma; ++ map.port = dev->if_port; ++ + if (nla_put(skb, IFLA_MAP, sizeof(map), &map)) + return -EMSGSIZE; + +-- +2.5.5 +