[kernel] r16577 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sat Nov 20 21:39:39 UTC 2010 

Author: dannf
Date: Sat Nov 20 21:39:36 2010
New Revision: 16577

Log:
* net: Mitigate overflow issues
   - Truncate recvfrom and sendto length to INT_MAX.
   - Limit socket I/O iovec total length to INT_MAX.
   - Resolves kernel heap overflow in the TIPC protcol (CVE-2010-3859)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sat Nov 20 19:08:42 2010	(r16576)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sat Nov 20 21:39:36 2010	(r16577)
@@ -19,6 +19,10 @@
   * video/sis: prevent reading uninitialized stack memory (CVE-2010-4078)
   * X.25: Prevent crashing when parsing bad X.25 facilities (CVE-2010-4164)
   * v4l1: fix 32-bit compat microcode loading translation (CVE-2010-2963)
+  * net: Mitigate overflow issues
+     - Truncate recvfrom and sendto length to INT_MAX.
+     - Limit socket I/O iovec total length to INT_MAX.
+     - Resolves kernel heap overflow in the TIPC protcol (CVE-2010-3859)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch	Sat Nov 20 21:39:36 2010	(r16577)
@@ -0,0 +1,76 @@
+commit a71f23d2ad52dbd9b3aa6b8b8089260130e4f57f
+Author: David S. Miller <davem at davemloft.net>
+Date:   Thu Oct 28 11:41:55 2010 -0700
+
+    net: Limit socket I/O iovec total length to INT_MAX.
+    
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    This helps protect us from overflow issues down in the
+    individual protocol sendmsg/recvmsg handlers.  Once
+    we hit INT_MAX we truncate out the rest of the iovec
+    by setting the iov_len members to zero.
+    
+    This works because:
+    
+    1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
+       writes are allowed and the application will just continue
+       with another write to send the rest of the data.
+    
+    2) For datagram oriented sockets, where there must be a
+       one-to-one correspondance between write() calls and
+       packets on the wire, INT_MAX is going to be far larger
+       than the packet size limit the protocol is going to
+       check for and signal with -EMSGSIZE.
+    
+    Based upon a patch by Linus Torvalds.
+    
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/compat.c b/net/compat.c
+index c823f6f..24b40c1 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -40,10 +40,12 @@ static inline int iov_from_user_compat_to_kern(struct iovec *kiov,
+ 		compat_size_t len;
+ 
+ 		if (get_user(len, &uiov32->iov_len) ||
+-		   get_user(buf, &uiov32->iov_base)) {
+-			tot_len = -EFAULT;
+-			break;
+-		}
++		    get_user(buf, &uiov32->iov_base))
++			return -EFAULT;
++
++		if (len > INT_MAX - tot_len)
++			len = INT_MAX - tot_len;
++
+ 		tot_len += len;
+ 		kiov->iov_base = compat_ptr(buf);
+ 		kiov->iov_len = (__kernel_size_t) len;
+diff --git a/net/core/iovec.c b/net/core/iovec.c
+index 755c37f..7f1fb83 100644
+--- a/net/core/iovec.c
++++ b/net/core/iovec.c
+@@ -60,14 +60,13 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, char *address, int mode)
+ 	err = 0;
+ 
+ 	for (ct = 0; ct < m->msg_iovlen; ct++) {
+-		err += iov[ct].iov_len;
+-		/*
+-		 * Goal is not to verify user data, but to prevent returning
+-		 * negative value, which is interpreted as errno.
+-		 * Overflow is still possible, but it is harmless.
+-		 */
+-		if (err < 0)
+-			return -EMSGSIZE;
++		size_t len = iov[ct].iov_len;
++
++		if (len > INT_MAX - err) {
++			len = INT_MAX - err;
++			iov[ct].iov_len = len;
++		}
++		err += len;
+ 	}
+ 
+ 	return err;

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch	Sat Nov 20 21:39:36 2010	(r16577)
@@ -0,0 +1,31 @@
+commit 94b149862dbac09f015484e892776bcd047da532
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date:   Sat Oct 30 16:43:10 2010 -0700
+
+    net: Truncate recvfrom and sendto length to INT_MAX.
+    
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/socket.c b/net/socket.c
+index 8aaa05b..f701190 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1596,6 +1596,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
+ 	struct iovec iov;
+ 	int fput_needed;
+ 
++	if (len > INT_MAX)
++		len = INT_MAX;
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (!sock)
+ 		goto out;
+@@ -1653,6 +1655,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+ 	int err, err2;
+ 	int fput_needed;
+ 
++	if (size > INT_MAX)
++		size = INT_MAX;
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (!sock)
+ 		goto out;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sat Nov 20 19:08:42 2010	(r16576)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sat Nov 20 21:39:36 2010	(r16577)
@@ -17,3 +17,5 @@
 + bugfix/all/video-sis-prevent-reading-uninitialized-stack-memory.patch
 + bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch
 + bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch
++ bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
++ bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch

More information about the Kernel-svn-changes mailing list