Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from chlorine.canonical.com (chlorine.canonical.com
[91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 3849FB70B3
for <incoming@patchwork.ozlabs.org>;
Thu, 3 Feb 2011 06:03:44 +1100 (EST)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
by chlorine.canonical.com with esmtp (Exim 4.71)
(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
id 1PkhzP-0000ax-VW; Wed, 02 Feb 2011 19:03:40 +0000
Received: from mail.tpi.com ([70.99.223.143])
by chlorine.canonical.com with esmtp (Exim 4.71)
(envelope-from <timg@tpi.com>) id 1PkhzN-0000as-Uo
for kernel-team@lists.ubuntu.com; Wed, 02 Feb 2011 19:03:38 +0000
Received: from sepang.rtg.net (unknown [10.0.2.5])
by mail.tpi.com (Postfix) with ESMTP id 4D62E28D579
for <kernel-team@lists.ubuntu.com>;
Wed, 2 Feb 2011 11:02:53 -0800 (PST)
Received: by sepang.rtg.net (Postfix, from userid 1000)
id 46C19F89F8; Wed, 2 Feb 2011 12:03:35 -0700 (MST)
To: kernel-team@lists.ubuntu.com
Subject: Hardy CVE-2010-3880,
inet_diag: Make sure we actually run the same bytecode we audited
Message-Id: <20110202190335.46C19F89F8@sepang.rtg.net>
Date: Wed, 2 Feb 2011 12:03:35 -0700 (MST)
From: timg@tpi.com (Tim Gardner)
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: kernel-team-bounces@lists.ubuntu.com
Errors-To: kernel-team-bounces@lists.ubuntu.com
The following changes since commit 093c92021633ce7cb8f884704215eff5a0616c50:
Kulikov Vasiliy (1):
net: tipc: fix information leak to userland, CVE-2010-3877
are available in the git repository at:
git://kernel.ubuntu.com/rtg/ubuntu-hardy.git CVE-2010-3880
Nelson Elhage (1):
inet_diag: Make sure we actually run the same bytecode we audited, CVE-2010-3880
include/net/netlink.h | 2 +-
net/ipv4/inet_diag.c | 27 ++++++++++++++++-----------
2 files changed, 17 insertions(+), 12 deletions(-)
From 885497675fb9365d5b38b278618fff76e3cc7938 Mon Sep 17 00:00:00 2001
From: Nelson Elhage <nelhage@ksplice.com>
Date: Wed, 3 Nov 2010 16:35:41 +0000
Subject: [PATCH] inet_diag: Make sure we actually run the same bytecode we audited, CVE-2010-3880
BugLink: http://bugs.launchpad.net/bugs/711865
CVE-2010-3880
We were using nlmsg_find_attr() to look up the bytecode by attribute when
auditing, but then just using the first attribute when actually running
bytecode. So, if we received a message with two attribute elements, where only
the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
bytecode strings.
Fix this by consistently using nlmsg_find_attr everywhere.
Signed-off-by: Nelson Elhage <nelhage@ksplice.com>Signed-off-by: Thomas Graf <tgraf@infradead.org>Signed-off-by: David S. Miller <davem@davemloft.net>
(back ported from commit 22e76c849d505d87c5ecf3d3e6742a65f0ff4860)
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
include/net/netlink.h | 2 +-
net/ipv4/inet_diag.c | 27 ++++++++++++++++-----------
2 files changed, 17 insertions(+), 12 deletions(-)