[kernel] r16562 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Thu Nov 18 02:34:21 UTC 2010

Author: benh
Date: Thu Nov 18 02:34:18 2010
New Revision: 16562

Log:
rds: Fix integer overflow in RDS cmsg handling

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/rds-Integer-overflow-in-RDS-cmsg-handling.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/28

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================

--- dists/sid/linux-2.6/debian/changelog	Tue Nov 16 04:22:23 2010	(r16561)
+++ dists/sid/linux-2.6/debian/changelog	Thu Nov 18 02:34:18 2010	(r16562)
@@ -45,6 +45,7 @@
     - memory corruption in X.25 facilities parsing (CVE-2010-3873)
     - Prevent crashing when parsing bad X.25 facilities (CVE-2010-4164)
   * tcp: Increase TCP_MAXSEG socket option minimum (CVE-2010-4165)
+  * rds: Fix integer overflow in RDS cmsg handling
 
   [ dann frazier ]
   * [vserver] Update patch to 2.6.32.25-vs2.3.0.36.29.6

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/rds-Integer-overflow-in-RDS-cmsg-handling.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/rds-Integer-overflow-in-RDS-cmsg-handling.patch	Thu Nov 18 02:34:18 2010	(r16562)
@@ -0,0 +1,36 @@
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed, 17 Nov 2010 06:37:16 +0000
+Subject: [PATCH] rds: Integer overflow in RDS cmsg handling
+
+commit 218854af84038d828a32f061858b1902ed2beec6 upstream.
+
+In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
+restricted to less than UINT_MAX.  This seems to need a tighter upper
+bound, since the calculation of total iov_size can overflow, resulting
+in a small sock_kmalloc() allocation.  This would probably just result
+in walking off the heap and crashing when calling rds_rdma_pages() with
+a high count value.  If it somehow doesn't crash here, then memory
+corruption could occur soon after.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/rds/rdma.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/rds/rdma.c b/net/rds/rdma.c
+index 8920f2a..4e37c1c 100644
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -567,7 +567,7 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
+ 		goto out;
+ 	}
+ 
+-	if (args->nr_local > (u64)UINT_MAX) {
++	if (args->nr_local > UIO_MAXIOV) {
+ 		ret = -EMSGSIZE;
+ 		goto out;
+ 	}
+-- 
+1.7.2.3
+

Modified: dists/sid/linux-2.6/debian/patches/series/28
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/28	Tue Nov 16 04:22:23 2010	(r16561)
+++ dists/sid/linux-2.6/debian/patches/series/28	Thu Nov 18 02:34:18 2010	(r16562)
@@ -39,3 +39,4 @@
 + bugfix/all/x25-memory-corruption-in-X.25-facilities-parsing.patch
 + bugfix/all/x25-Prevent-crashing-when-parsing-bad-X.25-facilities.patch
 + bugfix/all/tcp-Increase-TCP_MAXSEG-socket-option-minimum.patch
++ bugfix/all/rds-Integer-overflow-in-RDS-cmsg-handling.patch

