[kernel] r16562 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at alioth.debian.org
Thu Nov 18 02:34:21 UTC 2010
Author: benh
Date: Thu Nov 18 02:34:18 2010
New Revision: 16562
Log:
rds: Fix integer overflow in RDS cmsg handling
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/rds-Integer-overflow-in-RDS-cmsg-handling.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/28
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Tue Nov 16 04:22:23 2010 (r16561)
+++ dists/sid/linux-2.6/debian/changelog Thu Nov 18 02:34:18 2010 (r16562)
@@ -45,6 +45,7 @@
- memory corruption in X.25 facilities parsing (CVE-2010-3873)
- Prevent crashing when parsing bad X.25 facilities (CVE-2010-4164)
* tcp: Increase TCP_MAXSEG socket option minimum (CVE-2010-4165)
+ * rds: Fix integer overflow in RDS cmsg handling
[ dann frazier ]
* [vserver] Update patch to 2.6.32.25-vs2.3.0.36.29.6
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/rds-Integer-overflow-in-RDS-cmsg-handling.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/rds-Integer-overflow-in-RDS-cmsg-handling.patch Thu Nov 18 02:34:18 2010 (r16562)
@@ -0,0 +1,36 @@
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed, 17 Nov 2010 06:37:16 +0000
+Subject: [PATCH] rds: Integer overflow in RDS cmsg handling
+
+commit 218854af84038d828a32f061858b1902ed2beec6 upstream.
+
+In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
+restricted to less than UINT_MAX. This seems to need a tighter upper
+bound, since the calculation of total iov_size can overflow, resulting
+in a small sock_kmalloc() allocation. This would probably just result
+in walking off the heap and crashing when calling rds_rdma_pages() with
+a high count value. If it somehow doesn't crash here, then memory
+corruption could occur soon after.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/rds/rdma.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/rds/rdma.c b/net/rds/rdma.c
+index 8920f2a..4e37c1c 100644
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -567,7 +567,7 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
+ goto out;
+ }
+
+- if (args->nr_local > (u64)UINT_MAX) {
++ if (args->nr_local > UIO_MAXIOV) {
+ ret = -EMSGSIZE;
+ goto out;
+ }
+--
+1.7.2.3
+
Modified: dists/sid/linux-2.6/debian/patches/series/28
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/28 Tue Nov 16 04:22:23 2010 (r16561)
+++ dists/sid/linux-2.6/debian/patches/series/28 Thu Nov 18 02:34:18 2010 (r16562)
@@ -39,3 +39,4 @@
+ bugfix/all/x25-memory-corruption-in-X.25-facilities-parsing.patch
+ bugfix/all/x25-Prevent-crashing-when-parsing-bad-X.25-facilities.patch
+ bugfix/all/tcp-Increase-TCP_MAXSEG-socket-option-minimum.patch
++ bugfix/all/rds-Integer-overflow-in-RDS-cmsg-handling.patch
More information about the Kernel-svn-changes
mailing list