[kernel] r16577 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Nov 20 21:39:39 UTC 2010
Author: dannf
Date: Sat Nov 20 21:39:36 2010
New Revision: 16577
Log:
* net: Mitigate overflow issues
- Truncate recvfrom and sendto length to INT_MAX.
- Limit socket I/O iovec total length to INT_MAX.
- Resolves kernel heap overflow in the TIPC protcol (CVE-2010-3859)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sat Nov 20 19:08:42 2010 (r16576)
+++ dists/lenny-security/linux-2.6/debian/changelog Sat Nov 20 21:39:36 2010 (r16577)
@@ -19,6 +19,10 @@
* video/sis: prevent reading uninitialized stack memory (CVE-2010-4078)
* X.25: Prevent crashing when parsing bad X.25 facilities (CVE-2010-4164)
* v4l1: fix 32-bit compat microcode loading translation (CVE-2010-2963)
+ * net: Mitigate overflow issues
+ - Truncate recvfrom and sendto length to INT_MAX.
+ - Limit socket I/O iovec total length to INT_MAX.
+ - Resolves kernel heap overflow in the TIPC protcol (CVE-2010-3859)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch Sat Nov 20 21:39:36 2010 (r16577)
@@ -0,0 +1,76 @@
+commit a71f23d2ad52dbd9b3aa6b8b8089260130e4f57f
+Author: David S. Miller <davem at davemloft.net>
+Date: Thu Oct 28 11:41:55 2010 -0700
+
+ net: Limit socket I/O iovec total length to INT_MAX.
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ This helps protect us from overflow issues down in the
+ individual protocol sendmsg/recvmsg handlers. Once
+ we hit INT_MAX we truncate out the rest of the iovec
+ by setting the iov_len members to zero.
+
+ This works because:
+
+ 1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
+ writes are allowed and the application will just continue
+ with another write to send the rest of the data.
+
+ 2) For datagram oriented sockets, where there must be a
+ one-to-one correspondance between write() calls and
+ packets on the wire, INT_MAX is going to be far larger
+ than the packet size limit the protocol is going to
+ check for and signal with -EMSGSIZE.
+
+ Based upon a patch by Linus Torvalds.
+
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/compat.c b/net/compat.c
+index c823f6f..24b40c1 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -40,10 +40,12 @@ static inline int iov_from_user_compat_to_kern(struct iovec *kiov,
+ compat_size_t len;
+
+ if (get_user(len, &uiov32->iov_len) ||
+- get_user(buf, &uiov32->iov_base)) {
+- tot_len = -EFAULT;
+- break;
+- }
++ get_user(buf, &uiov32->iov_base))
++ return -EFAULT;
++
++ if (len > INT_MAX - tot_len)
++ len = INT_MAX - tot_len;
++
+ tot_len += len;
+ kiov->iov_base = compat_ptr(buf);
+ kiov->iov_len = (__kernel_size_t) len;
+diff --git a/net/core/iovec.c b/net/core/iovec.c
+index 755c37f..7f1fb83 100644
+--- a/net/core/iovec.c
++++ b/net/core/iovec.c
+@@ -60,14 +60,13 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, char *address, int mode)
+ err = 0;
+
+ for (ct = 0; ct < m->msg_iovlen; ct++) {
+- err += iov[ct].iov_len;
+- /*
+- * Goal is not to verify user data, but to prevent returning
+- * negative value, which is interpreted as errno.
+- * Overflow is still possible, but it is harmless.
+- */
+- if (err < 0)
+- return -EMSGSIZE;
++ size_t len = iov[ct].iov_len;
++
++ if (len > INT_MAX - err) {
++ len = INT_MAX - err;
++ iov[ct].iov_len = len;
++ }
++ err += len;
+ }
+
+ return err;
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch Sat Nov 20 21:39:36 2010 (r16577)
@@ -0,0 +1,31 @@
+commit 94b149862dbac09f015484e892776bcd047da532
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Sat Oct 30 16:43:10 2010 -0700
+
+ net: Truncate recvfrom and sendto length to INT_MAX.
+
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/socket.c b/net/socket.c
+index 8aaa05b..f701190 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1596,6 +1596,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
+ struct iovec iov;
+ int fput_needed;
+
++ if (len > INT_MAX)
++ len = INT_MAX;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
+@@ -1653,6 +1655,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+ int err, err2;
+ int fput_needed;
+
++ if (size > INT_MAX)
++ size = INT_MAX;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Sat Nov 20 19:08:42 2010 (r16576)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Sat Nov 20 21:39:36 2010 (r16577)
@@ -17,3 +17,5 @@
+ bugfix/all/video-sis-prevent-reading-uninitialized-stack-memory.patch
+ bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch
+ bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch
++ bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
++ bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
More information about the Kernel-svn-changes
mailing list