From patchwork Thu Mar 19 11:37:44 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Luis Henriques <luis.henriques@canonical.com>
X-Patchwork-Id: 451963
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id B1DC3140083;
	Thu, 19 Mar 2015 22:38:20 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1YYYmG-0005bD-7E; Thu, 19 Mar 2015 11:38:16 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <luis.henriques@canonical.com>) id 1YYYlq-0005PA-P8
	for kernel-team@lists.ubuntu.com; Thu, 19 Mar 2015 11:37:50 +0000
Received: from av-217-129-142-138.netvisao.pt ([217.129.142.138]
	helo=localhost) by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <luis.henriques@canonical.com>)
	id 1YYYlq-0005ui-JZ
	for kernel-team@lists.ubuntu.com; Thu, 19 Mar 2015 11:37:50 +0000
From: Luis Henriques <luis.henriques@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [Trusty][CVE-2015-2042][PATCH 5/5] net: rds: use correct size for
	max unacked packets and bytes
Date: Thu, 19 Mar 2015 11:37:44 +0000
Message-Id: <1426765064-19842-6-git-send-email-luis.henriques@canonical.com>
In-Reply-To: <1426765064-19842-1-git-send-email-luis.henriques@canonical.com>
References: <1426765064-19842-1-git-send-email-luis.henriques@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

From: Sasha Levin <sasha.levin@oracle.com>

Max unacked packets/bytes is an int while sizeof(long) was used in the
sysctl table.

This means that when they were getting read we'd also leak kernel memory
to userspace along with the timeout values.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit db27ebb111e9f69efece08e4cb6a34ff980f8896)
CVE-2015-2042
BugLink: http://bugs.launchpad.net/bugs/1425274
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/rds/sysctl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/rds/sysctl.c b/net/rds/sysctl.c
index b5cb2aa08f33..35773ad6d23d 100644
--- a/net/rds/sysctl.c
+++ b/net/rds/sysctl.c
@@ -71,14 +71,14 @@ static struct ctl_table rds_sysctl_rds_table[] = {
 	{
 		.procname	= "max_unacked_packets",
 		.data		= &rds_sysctl_max_unacked_packets,
-		.maxlen         = sizeof(unsigned long),
+		.maxlen         = sizeof(int),
 		.mode           = 0644,
 		.proc_handler   = proc_dointvec,
 	},
 	{
 		.procname	= "max_unacked_bytes",
 		.data		= &rds_sysctl_max_unacked_bytes,
-		.maxlen         = sizeof(unsigned long),
+		.maxlen         = sizeof(int),
 		.mode           = 0644,
 		.proc_handler   = proc_dointvec,
 	},