Patchwork [Hardy,CVE-2010-4655] net: clear heap allocations for privileged ethtool actions, CVE-2010-4655

login
register
mail settings
Submitter Leann Ogasawara
Date April 26, 2011, 9:06 p.m.
Message ID <1303851988.2158.31.camel@adamo>
Download mbox | patch
Permalink /patch/92959/
State New
Headers show

Pull-request

git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2010-4655

Comments

Leann Ogasawara - April 26, 2011, 9:06 p.m.
The following changes since commit bb5c3ef299eb1122430f0beef24ca63c29deb6a7:
  Goldwyn Rodrigues (1):
        Treat writes as new when holes span across page boundaries, CVE-2011-0463

are available in the git repository at:

  git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2010-4655

Kees Cook (1):
      net: clear heap allocations for privileged ethtool actions, CVE-2010-4655

 net/core/ethtool.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

From 485e20ad2db57eb064ef49087b2d9878b4131743 Mon Sep 17 00:00:00 2001
From: Kees Cook <kees.cook@canonical.com>
Date: Mon, 11 Oct 2010 12:23:25 -0700
Subject: [PATCH] net: clear heap allocations for privileged ethtool actions, CVE-2010-4655

BugLink: http://bugs.launchpad.net/bugs/771445

CVE-2010-4655

Several other ethtool functions leave heap uncleared (potentially) by
drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
are well controlled. In some situations (e.g. unchecked error conditions),
the heap will remain unchanged in areas before copying back to userspace.
Note that these are less of an issue since these all require CAP_NET_ADMIN.

Cc: stable@kernel.org
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

(backport of commit 272b62c1f0f6f742046e45b50b6fec98860208a0)
Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
---
 net/core/ethtool.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
Brad Figg - April 26, 2011, 9:10 p.m.
On 04/26/2011 02:06 PM, Leann Ogasawara wrote:
> The following changes since commit bb5c3ef299eb1122430f0beef24ca63c29deb6a7:
>    Goldwyn Rodrigues (1):
>          Treat writes as new when holes span across page boundaries, CVE-2011-0463
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2010-4655
>
> Kees Cook (1):
>        net: clear heap allocations for privileged ethtool actions, CVE-2010-4655
>
>   net/core/ethtool.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
>  From 485e20ad2db57eb064ef49087b2d9878b4131743 Mon Sep 17 00:00:00 2001
> From: Kees Cook<kees.cook@canonical.com>
> Date: Mon, 11 Oct 2010 12:23:25 -0700
> Subject: [PATCH] net: clear heap allocations for privileged ethtool actions, CVE-2010-4655
>
> BugLink: http://bugs.launchpad.net/bugs/771445
>
> CVE-2010-4655
>
> Several other ethtool functions leave heap uncleared (potentially) by
> drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
> are well controlled. In some situations (e.g. unchecked error conditions),
> the heap will remain unchanged in areas before copying back to userspace.
> Note that these are less of an issue since these all require CAP_NET_ADMIN.
>
> Cc: stable@kernel.org
> Signed-off-by: Kees Cook<kees.cook@canonical.com>
> Acked-by: Ben Hutchings<bhutchings@solarflare.com>
> Signed-off-by: David S. Miller<davem@davemloft.net>
>
> (backport of commit 272b62c1f0f6f742046e45b50b6fec98860208a0)
> Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com>
> ---
>   net/core/ethtool.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/net/core/ethtool.c b/net/core/ethtool.c
> index 1163eb2..28eb246 100644
> --- a/net/core/ethtool.c
> +++ b/net/core/ethtool.c
> @@ -226,7 +226,7 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr)
>   	if (regs.len>  reglen)
>   		regs.len = reglen;
>
> -	regbuf = kmalloc(reglen, GFP_USER);
> +	regbuf = kzalloc(reglen, GFP_USER);
>   	if (!regbuf)
>   		return -ENOMEM;
>

Acked-by: Brad Figg <brad.figg@canonical.com>
John Johansen - April 27, 2011, 8:08 a.m.
On 04/26/2011 02:06 PM, Leann Ogasawara wrote:
> The following changes since commit bb5c3ef299eb1122430f0beef24ca63c29deb6a7:
>   Goldwyn Rodrigues (1):
>         Treat writes as new when holes span across page boundaries, CVE-2011-0463
> 
> are available in the git repository at:
> 
>   git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2010-4655
> 
> Kees Cook (1):
>       net: clear heap allocations for privileged ethtool actions, CVE-2010-4655
> 
>  net/core/ethtool.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> From 485e20ad2db57eb064ef49087b2d9878b4131743 Mon Sep 17 00:00:00 2001
> From: Kees Cook <kees.cook@canonical.com>
> Date: Mon, 11 Oct 2010 12:23:25 -0700
> Subject: [PATCH] net: clear heap allocations for privileged ethtool actions, CVE-2010-4655
> 
> BugLink: http://bugs.launchpad.net/bugs/771445
> 
> CVE-2010-4655
> 
> Several other ethtool functions leave heap uncleared (potentially) by
> drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
> are well controlled. In some situations (e.g. unchecked error conditions),
> the heap will remain unchanged in areas before copying back to userspace.
> Note that these are less of an issue since these all require CAP_NET_ADMIN.
> 
> Cc: stable@kernel.org
> Signed-off-by: Kees Cook <kees.cook@canonical.com>
> Acked-by: Ben Hutchings <bhutchings@solarflare.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>

Acked-by: John Johansen <john.johansen@canonical.com>


> 
> (backport of commit 272b62c1f0f6f742046e45b50b6fec98860208a0)
> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
> ---
>  net/core/ethtool.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/net/core/ethtool.c b/net/core/ethtool.c
> index 1163eb2..28eb246 100644
> --- a/net/core/ethtool.c
> +++ b/net/core/ethtool.c
> @@ -226,7 +226,7 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr)
>  	if (regs.len > reglen)
>  		regs.len = reglen;
>  
> -	regbuf = kmalloc(reglen, GFP_USER);
> +	regbuf = kzalloc(reglen, GFP_USER);
>  	if (!regbuf)
>  		return -ENOMEM;
>
Tim Gardner - April 27, 2011, 1:08 p.m.
On 04/26/2011 03:06 PM, Leann Ogasawara wrote:
> git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2010-4655

applied

Patch

diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 1163eb2..28eb246 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -226,7 +226,7 @@  static int ethtool_get_regs(struct net_device *dev, char __user *useraddr)
 	if (regs.len > reglen)
 		regs.len = reglen;
 
-	regbuf = kmalloc(reglen, GFP_USER);
+	regbuf = kzalloc(reglen, GFP_USER);
 	if (!regbuf)
 		return -ENOMEM;