[kernel-sec-discuss] r4808 - active
Ben Hutchings
benh at moszumanska.debian.org
Wed Dec 28 15:33:47 UTC 2016
Author: benh
Date: 2016-12-28 15:33:47 +0000 (Wed, 28 Dec 2016)
New Revision: 4808
Modified:
active/CVE-2012-6704
Log:
Fill in status and scope of CVE-2012-6704
Modified: active/CVE-2012-6704
===================================================================
--- active/CVE-2012-6704 2016-12-26 07:47:40 UTC (rev 4807)
+++ active/CVE-2012-6704 2016-12-28 15:33:47 UTC (rev 4808)
@@ -1,10 +1,22 @@
-Description: net: cleanups in sock_setsockopt()
+Description: net: Negative socket receive buffer size permitted
References:
Notes:
+ bwh> Prior to commit 82981930125a "net: cleanups in sock_setsockopt()":
+ bwh> - The comparison with SOCK_MIN_SNDBUF used type int, so it
+ bwh> rejected negative values
+ bwh> - The comparison with SOCK_MIN_RCVBUF used type size_t, so it did
+ bwh> *not* reject negative values
+ bwh> - The comparisons of val with sysctl_wmem_max used type u32, so
+ bwh> they rejected negative values *unless* sysctl_wmem_max >=
+ bwh> 1 << 30 (and why would you set it that high?!)
+ bwh> So it was possible to set a negative value for sock::sk_rcvbuf
+ bwh> through SO_RCVBUFFORCE (escalation from CAP_NET_ADMIN to kernel)
+ bwh> or through SO_RCVBUF (escalation from user to kernel) iff
+ bwh> sysctl_wmem_max was large enough.
Bugs:
upstream: released (3.5-rc1) [82981930125abfd39d7c8378a9cfdf5e1be2002b]
3.16-upstream-stable: N/A "Fixed before initial 3.16 release"
-3.2-upstream-stable:
+3.2-upstream-stable: needed
sid: released (3.8.11-1)
-3.16-jessie-security:
-3.2-wheezy-security: N/A "Fixed before initial 3.16 release"
+3.16-jessie-security: N/A "Fixed before initial 3.16 release"
+3.2-wheezy-security: needed
More information about the kernel-sec-discuss
mailing list