[kernel] r11858 - in dists/etch/linux-2.6.24/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Jul 19 20:59:22 UTC 2008
Author: dannf
Date: Sat Jul 19 20:59:21 2008
New Revision: 11858
Log:
Fix potential memory corruption in pppol2tp_recvmsg
(CVE-2008-2750)
Added:
dists/etch/linux-2.6.24/debian/patches/bugfix/l2tp-pppol2tp_recvmsg-corruption.patch
Modified:
dists/etch/linux-2.6.24/debian/changelog
dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4
Modified: dists/etch/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch/linux-2.6.24/debian/changelog (original)
+++ dists/etch/linux-2.6.24/debian/changelog Sat Jul 19 20:59:21 2008
@@ -14,8 +14,10 @@
* Avoid tripping BUG() in IPsec code when the first fragment
of an ESP packet does not contain the entire ESP header and IV
(CVE-2007-6282)
+ * Fix potential memory corruption in pppol2tp_recvmsg
+ (CVE-2008-2750)
- -- dann frazier <dannf at debian.org> Fri, 18 Jul 2008 16:52:15 -0600
+ -- dann frazier <dannf at debian.org> Sat, 19 Jul 2008 14:07:20 -0600
linux-2.6.24 (2.6.24-6~etchnhalf.3) stable; urgency=low
Added: dists/etch/linux-2.6.24/debian/patches/bugfix/l2tp-pppol2tp_recvmsg-corruption.patch
==============================================================================
--- (empty file)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/l2tp-pppol2tp_recvmsg-corruption.patch Sat Jul 19 20:59:21 2008
@@ -0,0 +1,51 @@
+commit 6b6707a50c7598a83820077393f8823ab791abf8
+Author: James Chapman <jchapman at katalix.com>
+Date: Tue Jun 10 12:35:00 2008 -0700
+
+ l2tp: Fix potential memory corruption in pppol2tp_recvmsg()
+
+ This patch fixes a potential memory corruption in
+ pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer
+ length, memcpy_toiovec() will go into unintialized data on the kernel
+ heap, interpret it as an iovec and start modifying memory.
+
+ The fix is to change the memcpy_toiovec() call to
+ skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP)
+ are handled properly. Also check that the caller's buffer is big
+ enough for the data and set the MSG_TRUNC flag if it is not so.
+
+ Reported-by: Ilja <ilja at netric.org>
+ Signed-off-by: James Chapman <jchapman at katalix.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c
+index 70cfdb4..f929882 100644
+--- a/drivers/net/pppol2tp.c
++++ b/drivers/net/pppol2tp.c
+@@ -783,14 +783,18 @@ static int pppol2tp_recvmsg(struct kiocb *iocb, struct socket *sock,
+ err = 0;
+ skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ flags & MSG_DONTWAIT, &err);
+- if (skb) {
+- err = memcpy_toiovec(msg->msg_iov, (unsigned char *) skb->data,
+- skb->len);
+- if (err < 0)
+- goto do_skb_free;
+- err = skb->len;
+- }
+-do_skb_free:
++ if (!skb)
++ goto end;
++
++ if (len > skb->len)
++ len = skb->len;
++ else if (len < skb->len)
++ msg->msg_flags |= MSG_TRUNC;
++
++ err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, len);
++ if (likely(err == 0))
++ err = len;
++
+ kfree_skb(skb);
+ end:
+ return err;
Modified: dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4
==============================================================================
--- dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4 (original)
+++ dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4 Sat Jul 19 20:59:21 2008
@@ -1,3 +1,4 @@
+ bugfix/sctp-make-sure-n-sizeof-does-not-overflow.patch
+ bugfix/reinstate-zero_page-optimization-in-get_user_pages-and-fix-xip.patch
+ bugfix/esp-iv-in-linear-part-of-skb.patch
++ bugfix/l2tp-pppol2tp_recvmsg-corruption.patch
More information about the Kernel-svn-changes
mailing list