[Hardy] [CVE-2010-4655] net: clear heap allocations for privileged ethtool actions, CVE-2010-4655

Brad Figg brad.figg at canonical.com
Tue Apr 26 21:10:18 UTC 2011


On 04/26/2011 02:06 PM, Leann Ogasawara wrote:
> The following changes since commit bb5c3ef299eb1122430f0beef24ca63c29deb6a7:
>    Goldwyn Rodrigues (1):
>          Treat writes as new when holes span across page boundaries, CVE-2011-0463
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2010-4655
>
> Kees Cook (1):
>        net: clear heap allocations for privileged ethtool actions, CVE-2010-4655
>
>   net/core/ethtool.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
>  From 485e20ad2db57eb064ef49087b2d9878b4131743 Mon Sep 17 00:00:00 2001
> From: Kees Cook<kees.cook at canonical.com>
> Date: Mon, 11 Oct 2010 12:23:25 -0700
> Subject: [PATCH] net: clear heap allocations for privileged ethtool actions, CVE-2010-4655
>
> BugLink: http://bugs.launchpad.net/bugs/771445
>
> CVE-2010-4655
>
> Several other ethtool functions leave heap uncleared (potentially) by
> drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
> are well controlled. In some situations (e.g. unchecked error conditions),
> the heap will remain unchanged in areas before copying back to userspace.
> Note that these are less of an issue since these all require CAP_NET_ADMIN.
>
> Cc: stable at kernel.org
> Signed-off-by: Kees Cook<kees.cook at canonical.com>
> Acked-by: Ben Hutchings<bhutchings at solarflare.com>
> Signed-off-by: David S. Miller<davem at davemloft.net>
>
> (backport of commit 272b62c1f0f6f742046e45b50b6fec98860208a0)
> Signed-off-by: Leann Ogasawara<leann.ogasawara at canonical.com>
> ---
>   net/core/ethtool.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/net/core/ethtool.c b/net/core/ethtool.c
> index 1163eb2..28eb246 100644
> --- a/net/core/ethtool.c
> +++ b/net/core/ethtool.c
> @@ -226,7 +226,7 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr)
>   	if (regs.len>  reglen)
>   		regs.len = reglen;
>
> -	regbuf = kmalloc(reglen, GFP_USER);
> +	regbuf = kzalloc(reglen, GFP_USER);
>   	if (!regbuf)
>   		return -ENOMEM;
>

Acked-by: Brad Figg <brad.figg at canonical.com>

-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com




More information about the kernel-team mailing list