Patchwork Dapper SRU, CVE-2010-3859

login
register
mail settings
Submitter Tim Gardner
Date Jan. 27, 2011, 10:15 p.m.
Message ID <20110127221532.0E98332E39@sepang.rtg.net>
Download mbox
Permalink /patch/80746/
State Accepted
Delegated to: Stefan Bader
Headers show

Pull-request

git://kernel.ubuntu.com/rtg/ubuntu-dapper.git CVE-2010-3859

Comments

Tim Gardner - Jan. 27, 2011, 10:15 p.m.
The following changes since commit 935dc7c143df82eed4efe22af6f5d54a9e63e42d:
  Dan Rosenberg (1):
        drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory, CVE-2010-4078

are available in the git repository at:

  git://kernel.ubuntu.com/rtg/ubuntu-dapper.git CVE-2010-3859

David S. Miller (1):
      net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859

Tim Gardner (1):
      net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859

 net/compat.c     |    4 ++++
 net/core/iovec.c |   15 +++++++--------
 net/socket.c     |    6 ++++++
 3 files changed, 17 insertions(+), 8 deletions(-)

From 56dbc8e48a729838dc4e625bdc00f594d06690cd Mon Sep 17 00:00:00 2001
From: Tim Gardner <tim.gardner@canonical.com>
Date: Thu, 27 Jan 2011 13:57:38 -0700
Subject: [PATCH 1/2] net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859

BugLink: http://bugs/launchpad.net/bugs/708839

CVE-2010-3859

Backported from commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream.
Stable backported to 2.6.32.26

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 net/socket.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)
Stefan Bader - Jan. 28, 2011, 9:51 a.m.
On 01/27/2011 11:15 PM, Tim Gardner wrote:
> The following changes since commit 935dc7c143df82eed4efe22af6f5d54a9e63e42d:
>   Dan Rosenberg (1):
>         drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory, CVE-2010-4078
> 
> are available in the git repository at:
> 
>   git://kernel.ubuntu.com/rtg/ubuntu-dapper.git CVE-2010-3859
> 
> David S. Miller (1):
>       net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859
> 
> Tim Gardner (1):
>       net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
> 
>  net/compat.c     |    4 ++++
>  net/core/iovec.c |   15 +++++++--------
>  net/socket.c     |    6 ++++++
>  3 files changed, 17 insertions(+), 8 deletions(-)
> 
> From 56dbc8e48a729838dc4e625bdc00f594d06690cd Mon Sep 17 00:00:00 2001
> From: Tim Gardner <tim.gardner@canonical.com>
> Date: Thu, 27 Jan 2011 13:57:38 -0700
> Subject: [PATCH 1/2] net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
> 
> BugLink: http://bugs/launchpad.net/bugs/708839
  ^
  bugs. not bugs/

Seems to go into the same direction, but how does one find out. (Just interest)
> 
> CVE-2010-3859
> 
> Backported from commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream.
> Stable backported to 2.6.32.26
> 
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  net/socket.c |    6 ++++++
>  1 files changed, 6 insertions(+), 0 deletions(-)
> 
> diff --git a/net/socket.c b/net/socket.c
> index 6e57b95..8de4725 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -1522,6 +1522,9 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
>  	struct msghdr msg;
>  	struct iovec iov;
>  	
> +	if (len > INT_MAX)
> +		len = INT_MAX;
> +
>  	sock = sockfd_lookup(fd, &err);
>  	if (!sock)
>  		goto out;
> @@ -1578,6 +1581,9 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
>  	char address[MAX_SOCK_ADDR];
>  	int err,err2;
>  
> +	if (size > INT_MAX)
> +		size = INT_MAX;
> +
>  	sock = sockfd_lookup(fd, &err);
>  	if (!sock)
>  		goto out;
Tim Gardner - Jan. 28, 2011, 1:43 p.m.
On 01/28/2011 02:51 AM, Stefan Bader wrote:
> On 01/27/2011 11:15 PM, Tim Gardner wrote:
>> The following changes since commit 935dc7c143df82eed4efe22af6f5d54a9e63e42d:
>>    Dan Rosenberg (1):
>>          drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory, CVE-2010-4078
>>
>> are available in the git repository at:
>>
>>    git://kernel.ubuntu.com/rtg/ubuntu-dapper.git CVE-2010-3859
>>
>> David S. Miller (1):
>>        net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859
>>
>> Tim Gardner (1):
>>        net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
>>
>>   net/compat.c     |    4 ++++
>>   net/core/iovec.c |   15 +++++++--------
>>   net/socket.c     |    6 ++++++
>>   3 files changed, 17 insertions(+), 8 deletions(-)
>>
>>  From 56dbc8e48a729838dc4e625bdc00f594d06690cd Mon Sep 17 00:00:00 2001
>> From: Tim Gardner<tim.gardner@canonical.com>
>> Date: Thu, 27 Jan 2011 13:57:38 -0700
>> Subject: [PATCH 1/2] net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
>>
>> BugLink: http://bugs/launchpad.net/bugs/708839
>    ^
>    bugs. not bugs/
>
> Seems to go into the same direction, but how does one find out. (Just interest)
>>

corrected
Brad Figg - Jan. 28, 2011, 4:16 p.m.
On 01/27/2011 02:15 PM, Tim Gardner wrote:
> The following changes since commit 935dc7c143df82eed4efe22af6f5d54a9e63e42d:
>    Dan Rosenberg (1):
>          drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory, CVE-2010-4078
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/rtg/ubuntu-dapper.git CVE-2010-3859
>
> David S. Miller (1):
>        net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859
>
> Tim Gardner (1):
>        net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
>
>   net/compat.c     |    4 ++++
>   net/core/iovec.c |   15 +++++++--------
>   net/socket.c     |    6 ++++++
>   3 files changed, 17 insertions(+), 8 deletions(-)
>
>  From 56dbc8e48a729838dc4e625bdc00f594d06690cd Mon Sep 17 00:00:00 2001
> From: Tim Gardner<tim.gardner@canonical.com>
> Date: Thu, 27 Jan 2011 13:57:38 -0700
> Subject: [PATCH 1/2] net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
>
> BugLink: http://bugs/launchpad.net/bugs/708839
>
> CVE-2010-3859
>
> Backported from commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream.
> Stable backported to 2.6.32.26
>
> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
> Signed-off-by: David S. Miller<davem@davemloft.net>
> Signed-off-by: Greg Kroah-Hartman<gregkh@suse.de>
> Signed-off-by: Tim Gardner<tim.gardner@canonical.com>
> ---
>   net/socket.c |    6 ++++++
>   1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/net/socket.c b/net/socket.c
> index 6e57b95..8de4725 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -1522,6 +1522,9 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
>   	struct msghdr msg;
>   	struct iovec iov;
>   	
> +	if (len>  INT_MAX)
> +		len = INT_MAX;
> +
>   	sock = sockfd_lookup(fd,&err);
>   	if (!sock)
>   		goto out;
> @@ -1578,6 +1581,9 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
>   	char address[MAX_SOCK_ADDR];
>   	int err,err2;
>
> +	if (size>  INT_MAX)
> +		size = INT_MAX;
> +
>   	sock = sockfd_lookup(fd,&err);
>   	if (!sock)
>   		goto out;

Acked-by: Brad Figg <brad.figg@canonical.com>
Tim Gardner - Jan. 28, 2011, 4:51 p.m.
applied and pushed