[kernel] r16479 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Oct 25 02:19:41 UTC 2010
Author: dannf
Date: Mon Oct 25 02:19:20 2010
New Revision: 16479
Log:
aio: check for multiplication overflow in do_io_submit (CVE-2010-3067)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Oct 25 02:18:40 2010 (r16478)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Oct 25 02:19:20 2010 (r16479)
@@ -1,6 +1,7 @@
linux-2.6 (2.6.26-25lenny2) UNRELEASED; urgency=high
* net sched: fix kernel leak in act_police (CVE-2010-3477)
+ * aio: check for multiplication overflow in do_io_submit (CVE-2010-3067)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch Mon Oct 25 02:19:20 2010 (r16479)
@@ -0,0 +1,41 @@
+commit 0565f633733ae622c6c9c6b85f36b5bdf4d10085
+Author: Jeff Moyer <jmoyer at redhat.com>
+Date: Fri Sep 10 14:16:00 2010 -0700
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ aio: check for multiplication overflow in do_io_submit
+
+ Tavis Ormandy pointed out that do_io_submit does not do proper bounds
+ checking on the passed-in iocb array:
+
+ if (unlikely(nr < 0))
+ return -EINVAL;
+
+ if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
+ return -EFAULT; ^^^^^^^^^^^^^^^^^^
+
+ The attached patch checks for overflow, and if it is detected, the
+ number of iocbs submitted is scaled down to a number that will fit in
+ the long. This is an ok thing to do, as sys_io_submit is documented as
+ returning the number of iocbs submitted, so callers should handle a
+ return value of less than the 'nr' argument passed in.
+
+ Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+ Signed-off-by: Jeff Moyer <jmoyer at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/aio.c b/fs/aio.c
+index 8ed807d..f1c7b64 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1662,6 +1662,9 @@ SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,
+ if (unlikely(nr < 0))
+ return -EINVAL;
+
++ if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
++ nr = LONG_MAX/sizeof(*iocbpp);
++
+ if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
+ return -EFAULT;
+
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Mon Oct 25 02:18:40 2010 (r16478)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Mon Oct 25 02:19:20 2010 (r16479)
@@ -1 +1,2 @@
+ bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
++ bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch
More information about the Kernel-svn-changes
mailing list