Message ID | 20110127221532.0E98332E39@sepang.rtg.net |
---|---|
State | Accepted |
Delegated to: | Stefan Bader |
Headers | show |
On 01/27/2011 11:15 PM, Tim Gardner wrote: > The following changes since commit 935dc7c143df82eed4efe22af6f5d54a9e63e42d: > Dan Rosenberg (1): > drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory, CVE-2010-4078 > > are available in the git repository at: > > git://kernel.ubuntu.com/rtg/ubuntu-dapper.git CVE-2010-3859 > > David S. Miller (1): > net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859 > > Tim Gardner (1): > net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859 > > net/compat.c | 4 ++++ > net/core/iovec.c | 15 +++++++-------- > net/socket.c | 6 ++++++ > 3 files changed, 17 insertions(+), 8 deletions(-) > > From 56dbc8e48a729838dc4e625bdc00f594d06690cd Mon Sep 17 00:00:00 2001 > From: Tim Gardner <tim.gardner@canonical.com> > Date: Thu, 27 Jan 2011 13:57:38 -0700 > Subject: [PATCH 1/2] net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859 > > BugLink: http://bugs/launchpad.net/bugs/708839 ^ bugs. not bugs/ Seems to go into the same direction, but how does one find out. (Just interest) > > CVE-2010-3859 > > Backported from commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream. > Stable backported to 2.6.32.26 > > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > Signed-off-by: David S. Miller <davem@davemloft.net> > Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > net/socket.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/net/socket.c b/net/socket.c > index 6e57b95..8de4725 100644 > --- a/net/socket.c > +++ b/net/socket.c > @@ -1522,6 +1522,9 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len, > struct msghdr msg; > struct iovec iov; > > + if (len > INT_MAX) > + len = INT_MAX; > + > sock = sockfd_lookup(fd, &err); > if (!sock) > goto out; > @@ -1578,6 +1581,9 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, > char address[MAX_SOCK_ADDR]; > int err,err2; > > + if (size > INT_MAX) > + size = INT_MAX; > + > sock = sockfd_lookup(fd, &err); > if (!sock) > goto out;
On 01/28/2011 02:51 AM, Stefan Bader wrote: > On 01/27/2011 11:15 PM, Tim Gardner wrote: >> The following changes since commit 935dc7c143df82eed4efe22af6f5d54a9e63e42d: >> Dan Rosenberg (1): >> drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory, CVE-2010-4078 >> >> are available in the git repository at: >> >> git://kernel.ubuntu.com/rtg/ubuntu-dapper.git CVE-2010-3859 >> >> David S. Miller (1): >> net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859 >> >> Tim Gardner (1): >> net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859 >> >> net/compat.c | 4 ++++ >> net/core/iovec.c | 15 +++++++-------- >> net/socket.c | 6 ++++++ >> 3 files changed, 17 insertions(+), 8 deletions(-) >> >> From 56dbc8e48a729838dc4e625bdc00f594d06690cd Mon Sep 17 00:00:00 2001 >> From: Tim Gardner<tim.gardner@canonical.com> >> Date: Thu, 27 Jan 2011 13:57:38 -0700 >> Subject: [PATCH 1/2] net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859 >> >> BugLink: http://bugs/launchpad.net/bugs/708839 > ^ > bugs. not bugs/ > > Seems to go into the same direction, but how does one find out. (Just interest) >> corrected
On 01/27/2011 02:15 PM, Tim Gardner wrote: > The following changes since commit 935dc7c143df82eed4efe22af6f5d54a9e63e42d: > Dan Rosenberg (1): > drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory, CVE-2010-4078 > > are available in the git repository at: > > git://kernel.ubuntu.com/rtg/ubuntu-dapper.git CVE-2010-3859 > > David S. Miller (1): > net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859 > > Tim Gardner (1): > net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859 > > net/compat.c | 4 ++++ > net/core/iovec.c | 15 +++++++-------- > net/socket.c | 6 ++++++ > 3 files changed, 17 insertions(+), 8 deletions(-) > > From 56dbc8e48a729838dc4e625bdc00f594d06690cd Mon Sep 17 00:00:00 2001 > From: Tim Gardner<tim.gardner@canonical.com> > Date: Thu, 27 Jan 2011 13:57:38 -0700 > Subject: [PATCH 1/2] net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859 > > BugLink: http://bugs/launchpad.net/bugs/708839 > > CVE-2010-3859 > > Backported from commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream. > Stable backported to 2.6.32.26 > > Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org> > Signed-off-by: David S. Miller<davem@davemloft.net> > Signed-off-by: Greg Kroah-Hartman<gregkh@suse.de> > Signed-off-by: Tim Gardner<tim.gardner@canonical.com> > --- > net/socket.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/net/socket.c b/net/socket.c > index 6e57b95..8de4725 100644 > --- a/net/socket.c > +++ b/net/socket.c > @@ -1522,6 +1522,9 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len, > struct msghdr msg; > struct iovec iov; > > + if (len> INT_MAX) > + len = INT_MAX; > + > sock = sockfd_lookup(fd,&err); > if (!sock) > goto out; > @@ -1578,6 +1581,9 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, > char address[MAX_SOCK_ADDR]; > int err,err2; > > + if (size> INT_MAX) > + size = INT_MAX; > + > sock = sockfd_lookup(fd,&err); > if (!sock) > goto out; Acked-by: Brad Figg <brad.figg@canonical.com>
applied and pushed