From patchwork Wed Feb 23 16:55:07 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brad Figg X-Patchwork-Id: 84212 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 438BCB7193 for ; Thu, 24 Feb 2011 03:59:25 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1PsI3d-0000x4-Bo; Wed, 23 Feb 2011 16:59:21 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1PsI3b-0000wY-Cu for kernel-team@lists.ubuntu.com; Wed, 23 Feb 2011 16:59:19 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1PsI3b-0004I7-Be for ; Wed, 23 Feb 2011 16:59:19 +0000 Received: from pool-98-108-155-157.ptldor.fios.verizon.net ([98.108.155.157] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1PsI3a-0004zK-WF for kernel-team@lists.ubuntu.com; Wed, 23 Feb 2011 16:59:19 +0000 From: Brad Figg To: kernel-team@lists.ubuntu.com Subject: [Maverick] [CVE-2010-4175] [PATCH 01/01] rds: Integer overflow in RDS cmsg handling, CVE-2010-4175 Date: Wed, 23 Feb 2011 08:55:07 -0800 Message-Id: <1298480107-15119-3-git-send-email-brad.figg@canonical.com> X-Mailer: git-send-email 1.7.0.4 In-Reply-To: <1298480107-15119-1-git-send-email-brad.figg@canonical.com> References: <1298480107-15119-1-git-send-email-brad.figg@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com From: Dan Rosenberg CVE-2010-4175 BugLink: http://bugs.launchpad.net/bugs/721455 In rds_cmsg_rdma_args(), the user-provided args->nr_local value is restricted to less than UINT_MAX. This seems to need a tighter upper bound, since the calculation of total iov_size can overflow, resulting in a small sock_kmalloc() allocation. This would probably just result in walking off the heap and crashing when calling rds_rdma_pages() with a high count value. If it somehow doesn't crash here, then memory corruption could occur soon after. Signed-off-by: Dan Rosenberg Signed-off-by: David S. Miller (backport of upstream commit 218854af84038d828a32f061858b1902ed2beec6) Signed-off-by: Brad Figg Acked-by: Tim Gardner Acked-by: John Johansen --- net/rds/rdma.c | 24 +++++++++++++++++++----- 1 files changed, 19 insertions(+), 5 deletions(-) diff --git a/net/rds/rdma.c b/net/rds/rdma.c index e2ccf7b..f95cf32 100644 --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -643,18 +643,32 @@ out: int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm, struct cmsghdr *cmsg) { + struct rds_rdma_args *args; struct rds_rdma_op *op; + int ret = 0; if (cmsg->cmsg_len < CMSG_LEN(sizeof(struct rds_rdma_args)) || - rm->m_rdma_op != NULL) - return -EINVAL; + rm->m_rdma_op != NULL) { + ret = -EINVAL; + goto out; + } + + args = CMSG_DATA(cmsg); + + if (args->nr_local > UIO_MAXIOV) { + ret = -EMSGSIZE; + goto out; + } op = rds_rdma_prepare(rs, CMSG_DATA(cmsg)); - if (IS_ERR(op)) - return PTR_ERR(op); + if (IS_ERR(op)) { + ret = PTR_ERR(op); + goto out; + } rds_stats_inc(s_send_rdma); rm->m_rdma_op = op; - return 0; +out: + return ret; } /*