oss-sec mailing list archives
CVE Request -- kernel: recv{from,msg}() on an rds socket can leak kernel memory
From: Petr Matousek <pmatouse () redhat com>
Date: Thu, 26 Jul 2012 17:25:12 +0200
Two similar issues: 1) Reported by Jay Fenlason and Doug Ledford: recvfrom() on an RDS socket can disclose sizeof(struct sockaddr_storage)-sizeof(struct sockaddr_in) bytes of kernel stack to userspace when receiving a datagram. 2) Reported by Jay Fenlason: recv{from,msg}() on an RDS socket can disclose sizeof(struct sockaddr_storage) bytes of kernel stack to userspace when other code paths are taken. Both issues end in rds_recvmsg() so one CVE is sufficient. Upstream commit: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=06b6a1cf6e776426766298d055bb3991957d90a7 Thanks, -- Petr Matousek / Red Hat Security Response Team
Current thread:
- CVE Request -- kernel: recv{from,msg}() on an rds socket can leak kernel memory Petr Matousek (Jul 26)
- Re: CVE Request -- kernel: recv{from,msg}() on an rds socket can leak kernel memory Kurt Seifried (Jul 26)