Bugzilla – Bug 809906
VUL-1: CVE-2013-2546: kernel: crypto: various information leaks
Last modified: 2019-05-02 09:03:32 UTC
is public, via oss-sec CVE-2013-2546 http://www.openwall.com/lists/oss-security/2013/03/05/13 The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability. commit 9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6 Author: Mathias Krause <minipli@googlemail.com> Date: Tue Feb 5 18:19:13 2013 +0100 crypto: user - fix info leaks in report API Three errors resulting in kernel memory disclosure: 1/ The structures used for the netlink based crypto algorithm report API are located on the stack. As snprintf() does not fill the remainder of the buffer with null bytes, those stack bytes will be disclosed to users of the API. Switch to strncpy() to fix this. 2/ crypto_report_one() does not initialize all field of struct crypto_user_alg. Fix this to fix the heap info leak. 3/ For the module name we should copy only as many bytes as module_name() returns -- not as much as the destination buffer could hold. But the current code does not and therefore copies random data from behind the end of the module name, as the module name is always shorter than CRYPTO_MAX_ALG_NAME. Also switch to use strncpy() to copy the algorithm's name and driver_name. They are strings, after all.
The above commit also received the following CVEs: CVE-2013-2547 The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability. CVE-2013-2548 The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect length value during a copy operation, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.
bugbot adjusting priority
not yet in 3.0.x
Userspace configuration crypto API has been added in 3.2-rc2. I haven't checked directly the affected code but this means that no SLE* branch is not affected.
perl bin/addnote CVE-2013-2546 "The affected crypto code was introduced in Linux kernel 3.2 and not backported to older kernel versions. So SUSE Linux Enterprise 11 or earlier versions are not affected by this problem." - only opensuse fixes needed if at all.
Applied to openSUSE 12.2 via 3.4.36. Applied to openSUSE 12.3. Applied upstream in 3.9 so newer releases are unaffected.
opensuse updates running, lets close
openSUSE-SU-2013:1971-1: An update that solves 34 vulnerabilities and has 19 fixes is now available. Category: security (moderate) Bug References: 799516,801341,802347,804198,807153,807188,807471,808827,809906,810144,810473,811882,812116,813733,813889,814211,814336,814510,815256,815320,816668,816708,817651,818053,818561,821612,821735,822575,822579,823267,823342,823517,823633,823797,824171,824295,826102,826350,826374,827749,827750,828119,828191,828714,829539,831058,831956,832615,833321,833585,834647,837258,838346 CVE References: CVE-2013-0914,CVE-2013-1059,CVE-2013-1819,CVE-2013-1929,CVE-2013-1979,CVE-2013-2141,CVE-2013-2148,CVE-2013-2164,CVE-2013-2206,CVE-2013-2232,CVE-2013-2234,CVE-2013-2237,CVE-2013-2546,CVE-2013-2547,CVE-2013-2548,CVE-2013-2634,CVE-2013-2635,CVE-2013-2851,CVE-2013-2852,CVE-2013-3222,CVE-2013-3223,CVE-2013-3224,CVE-2013-3226,CVE-2013-3227,CVE-2013-3228,CVE-2013-3229,CVE-2013-3230,CVE-2013-3231,CVE-2013-3232,CVE-2013-3233,CVE-2013-3234,CVE-2013-3235,CVE-2013-3301,CVE-2013-4162 Sources used: openSUSE 12.3 (src): kernel-docs-3.7.10-1.24.1, kernel-source-3.7.10-1.24.1, kernel-syms-3.7.10-1.24.1