From patchwork Thu Jan 27 21:19:03 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 80743 X-Patchwork-Delegate: stefan.bader@canonical.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 7EE87B710D for ; Fri, 28 Jan 2011 08:19:26 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1PiZFE-0004yW-1B; Thu, 27 Jan 2011 21:19:08 +0000 Received: from mail.tpi.com ([70.99.223.143]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1PiZFB-0004xn-8O for kernel-team@lists.ubuntu.com; Thu, 27 Jan 2011 21:19:05 +0000 Received: from sepang.rtg.net (unknown [10.0.2.5]) by mail.tpi.com (Postfix) with ESMTP id 7A53A28BEFE for ; Thu, 27 Jan 2011 13:18:15 -0800 (PST) Received: by sepang.rtg.net (Postfix, from userid 1000) id E27D932E39; Thu, 27 Jan 2011 14:19:03 -0700 (MST) To: kernel-team@lists.ubuntu.com Subject: Karmic SRU, CVE-2010-3859 Message-Id: <20110127211903.E27D932E39@sepang.rtg.net> Date: Thu, 27 Jan 2011 14:19:03 -0700 (MST) From: timg@tpi.com (Tim Gardner) X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com The following changes since commit 8f57f1af10280643dcfda5da7233be6bc211dad5: Tim Gardner (1): Karmic SRU: thinkpad-acpi: lock down video output state access, CVE-2010-3448 are available in the git repository at: git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-3859 David S. Miller (1): net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859 Linus Torvalds (1): net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859 net/compat.c | 10 ++++++---- net/core/iovec.c | 15 +++++++-------- net/socket.c | 4 ++++ 3 files changed, 17 insertions(+), 12 deletions(-) From 6f26927146d324dacc6b62e7e45f7c1e9d957760 Mon Sep 17 00:00:00 2001 From: David S. Miller Date: Thu, 28 Oct 2010 11:41:55 -0700 Subject: [PATCH 1/2] net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859 BugLink: http://bugs.launchpad.net/bugs/708839 CVE-2010-3859 commit 8acfe468b0384e834a303f08ebc4953d72fb690a upstream. Backported as far as 2.6.23.26 This helps protect us from overflow issues down in the individual protocol sendmsg/recvmsg handlers. Once we hit INT_MAX we truncate out the rest of the iovec by setting the iov_len members to zero. This works because: 1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial writes are allowed and the application will just continue with another write to send the rest of the data. 2) For datagram oriented sockets, where there must be a one-to-one correspondance between write() calls and packets on the wire, INT_MAX is going to be far larger than the packet size limit the protocol is going to check for and signal with -EMSGSIZE. Based upon a patch by Linus Torvalds. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Tim Gardner Acked-by: Stefan Bader Acked-by: Brad Figg --- net/compat.c | 10 ++++++---- net/core/iovec.c | 15 +++++++-------- 2 files changed, 13 insertions(+), 12 deletions(-)