[kernel] r22879 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at moszumanska.debian.org
Sat Aug 1 17:27:55 UTC 2015
Author: benh
Date: Sat Aug 1 17:27:55 2015
New Revision: 22879
Log:
sg_start_req(): make sure that there's not too many elements in iovec
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze14
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Sat Aug 1 17:20:24 2015 (r22878)
+++ dists/squeeze-security/linux-2.6/debian/changelog Sat Aug 1 17:27:55 2015 (r22879)
@@ -2,6 +2,7 @@
[ Ben Hutchings ]
* udp: fix behavior of wrong checksums (CVE-2015-5364, CVE-2015-5366)
+ * sg_start_req(): make sure that there's not too many elements in iovec
-- Ben Hutchings <ben at decadent.org.uk> Sun, 28 Jun 2015 23:23:19 +0100
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch Sat Aug 1 17:27:55 2015 (r22879)
@@ -0,0 +1,34 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Sat, 21 Mar 2015 20:08:18 -0400
+Subject: sg_start_req(): make sure that there's not too many elements in iovec
+Origin: https://git.kernel.org/linus/451a2886b6bf90e2fb378f7c46c655450fb96e81
+
+unfortunately, allowing an arbitrary 16bit value means a possibility of
+overflow in the calculation of total number of pages in bio_map_user_iov() -
+we rely on there being no more than PAGE_SIZE members of sum in the
+first loop there. If that sum wraps around, we end up allocating
+too small array of pointers to pages and it's easy to overflow it in
+the second loop.
+
+X-Coverup: TINC (and there's no lumber cartel either)
+Cc: stable at vger.kernel.org # way, way back
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+[bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
+ fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have
+ that function.]
+---
+ drivers/scsi/sg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -1662,6 +1662,9 @@ static int sg_start_req(Sg_request *srp,
+ md->from_user = 0;
+ }
+
++ if (unlikely(iov_count > UIO_MAXIOV))
++ return -EINVAL;
++
+ if (iov_count) {
+ int len, size = sizeof(struct sg_iovec) * iov_count;
+ struct iovec *iov;
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze14
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze14 Sat Aug 1 17:20:24 2015 (r22878)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze14 Sat Aug 1 17:27:55 2015 (r22879)
@@ -1 +1,2 @@
+ bugfix/all/udp-fix-behavior-of-wrong-checksums.patch
++ bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
More information about the Kernel-svn-changes
mailing list