CVE-2016-5244 info leak in rds (rhbz 1343338 1343337)

2 files changed, 35 insertions, 0 deletions

diff --git a/kernel.spec b/kernel.spec
index a00ed1f7e..907e37b17 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -628,6 +628,9 @@ Patch720: tipc-check-nl-sock-before-parsing-nested-attributes.patch
 #CVE-2016-5243 rhbz 1343338 1343335
 Patch721: tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
 
+#CVE-2016-5244 rhbz 1343338 1343337
+Patch722: rds-fix-an-infoleak-in-rds_inc_info_copy.txt
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2154,6 +2157,7 @@ fi
 # 
 %changelog
 * Tue Jun 07 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-5244 info leak in rds (rhbz 1343338 1343337)
 - CVE-2016-5243 info leak in tipc (rhbz 1343338 1343335)
 
 * Wed Jun 01 2016 Josh Boyer <jwboyer@fedoraproject.org>
diff --git a/rds-fix-an-infoleak-in-rds_inc_info_copy.txt b/rds-fix-an-infoleak-in-rds_inc_info_copy.txt
new file mode 100644
index 000000000..a9b1e49fe
--- /dev/null
+++ b/rds-fix-an-infoleak-in-rds_inc_info_copy.txt
@@ -0,0 +1,31 @@
+From 4116def2337991b39919f3b448326e21c40e0dbb Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Thu, 2 Jun 2016 04:11:20 -0400
+Subject: rds: fix an infoleak in rds_inc_info_copy
+
+The last field "flags" of object "minfo" is not initialized.
+Copying this object out may leak kernel stack data.
+Assign 0 to it to avoid leak.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/rds/recv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/rds/recv.c b/net/rds/recv.c
+index c0be1ec..8413f6c 100644
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -561,5 +561,7 @@ void rds_inc_info_copy(struct rds_incoming *inc,
+ 		minfo.fport = inc->i_hdr.h_dport;
+ 	}
+ 
++	minfo.flags = 0;
++
+ 	rds_info_copy(iter, &minfo, sizeof(minfo));
+ }
+-- 
+cgit v0.12
+