[Hardy] [CVE-2010-4655] net: clear heap allocations for privileged ethtool actions, CVE-2010-4655

John Johansen john.johansen at canonical.com
Wed Apr 27 08:08:13 UTC 2011 

On 04/26/2011 02:06 PM, Leann Ogasawara wrote:
> The following changes since commit bb5c3ef299eb1122430f0beef24ca63c29deb6a7:
>   Goldwyn Rodrigues (1):
>         Treat writes as new when holes span across page boundaries, CVE-2011-0463
> 
> are available in the git repository at:
> 
>   git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2010-4655
> 
> Kees Cook (1):
>       net: clear heap allocations for privileged ethtool actions, CVE-2010-4655
> 
>  net/core/ethtool.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> From 485e20ad2db57eb064ef49087b2d9878b4131743 Mon Sep 17 00:00:00 2001
> From: Kees Cook <kees.cook at canonical.com>
> Date: Mon, 11 Oct 2010 12:23:25 -0700
> Subject: [PATCH] net: clear heap allocations for privileged ethtool actions, CVE-2010-4655
> 
> BugLink: http://bugs.launchpad.net/bugs/771445
> 
> CVE-2010-4655
> 
> Several other ethtool functions leave heap uncleared (potentially) by
> drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
> are well controlled. In some situations (e.g. unchecked error conditions),
> the heap will remain unchanged in areas before copying back to userspace.
> Note that these are less of an issue since these all require CAP_NET_ADMIN.
> 
> Cc: stable at kernel.org
> Signed-off-by: Kees Cook <kees.cook at canonical.com>
> Acked-by: Ben Hutchings <bhutchings at solarflare.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>

Acked-by: John Johansen <john.johansen at canonical.com>


> 
> (backport of commit 272b62c1f0f6f742046e45b50b6fec98860208a0)
> Signed-off-by: Leann Ogasawara <leann.ogasawara at canonical.com>
> ---
>  net/core/ethtool.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/net/core/ethtool.c b/net/core/ethtool.c
> index 1163eb2..28eb246 100644
> --- a/net/core/ethtool.c
> +++ b/net/core/ethtool.c
> @@ -226,7 +226,7 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr)
>  	if (regs.len > reglen)
>  		regs.len = reglen;
>  
> -	regbuf = kmalloc(reglen, GFP_USER);
> +	regbuf = kzalloc(reglen, GFP_USER);
>  	if (!regbuf)
>  		return -ENOMEM;
>

More information about the kernel-team mailing list