[kernel] r19143 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Jun 12 22:59:52 UTC 2012
Author: dannf
Date: Tue Jun 12 22:59:51 2012
New Revision: 19143
Log:
net: sock: validate data_len before allocating skb in
sock_alloc_send_pskb() (CVE-2012-2136)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch
dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Tue Jun 12 22:50:02 2012 (r19142)
+++ dists/squeeze-security/linux-2.6/debian/changelog Tue Jun 12 22:59:51 2012 (r19143)
@@ -1,3 +1,10 @@
+linux-2.6 (2.6.32-45squeeze1) UNRELEASED; urgency=low
+
+ * net: sock: validate data_len before allocating skb in
+ sock_alloc_send_pskb() (CVE-2012-2136)
+
+ -- dann frazier <dannf at debian.org> Tue, 12 Jun 2012 16:56:29 -0600
+
linux-2.6 (2.6.32-45) stable; urgency=high
* Avoid ABI change on some archs due to a new #include in the
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch Tue Jun 12 22:59:51 2012 (r19143)
@@ -0,0 +1,45 @@
+commit cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc
+Author: Jason Wang <jasowang at redhat.com>
+Date: Wed May 30 21:18:10 2012 +0000
+
+ net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()
+
+ We need to validate the number of pages consumed by data_len, otherwise frags
+ array could be overflowed by userspace. So this patch validate data_len and
+ return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.
+
+ Signed-off-by: Jason Wang <jasowang at redhat.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 31e02d3..eb7de4f 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1396,6 +1396,11 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ gfp_t gfp_mask;
+ long timeo;
+ int err;
++ int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
++
++ err = -EMSGSIZE;
++ if (npages > MAX_SKB_FRAGS)
++ goto failure;
+
+ gfp_mask = sk->sk_allocation;
+ if (gfp_mask & __GFP_WAIT)
+@@ -1414,14 +1419,12 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
+ skb = alloc_skb(header_len, gfp_mask);
+ if (skb) {
+- int npages;
+ int i;
+
+ /* No pages, we're done... */
+ if (!data_len)
+ break;
+
+- npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+ skb->truesize += data_len;
+ skb_shinfo(skb)->nr_frags = npages;
+ for (i = 0; i < npages; i++) {
Added: dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1 Tue Jun 12 22:59:51 2012 (r19143)
@@ -0,0 +1 @@
++ bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch
More information about the Kernel-svn-changes
mailing list