[Karmic] [CVE-2010-4175] [PATCH 01/01] rds: Integer overflow in RDS cmsg handling, CVE-2010-4175

[Brad Figg]

From: Dan Rosenberg <drosenberg at vsecurity.com>

CVE-2010-4175

BugLink: http://bugs.launchpad.net/bugs/721455

In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX.  This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation.  This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value.  If it somehow doesn't crash here, then memory
corruption could occur soon after.

Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

(backport of upstream commit 218854af84038d828a32f061858b1902ed2beec6)
Signed-off-by: Brad Figg <brad.figg at canonical.com>
---
 net/rds/rdma.c |   24 +++++++++++++++++++-----
 1 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index aa3befb..fa2ab42 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -616,18 +616,32 @@ out:
 int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
 			  struct cmsghdr *cmsg)
 {
+	struct rds_rdma_args *args;
 	struct rds_rdma_op *op;
+        int ret = 0;
 
 	if (cmsg->cmsg_len < CMSG_LEN(sizeof(struct rds_rdma_args))
-	 || rm->m_rdma_op != NULL)
-		return -EINVAL;
+	 || rm->m_rdma_op != NULL) {
+		ret = -EINVAL;
+		goto out;
+	}
+
+	args = CMSG_DATA(cmsg);
+
+	if (args->nr_local > UIO_MAXIOV) {
+		ret = -EMSGSIZE;
+		goto out;
+	}
 
 	op = rds_rdma_prepare(rs, CMSG_DATA(cmsg));
-	if (IS_ERR(op))
-		return PTR_ERR(op);
+	if (IS_ERR(op)) {
+		ret = PTR_ERR(op);
+		goto out;
+	}
 	rds_stats_inc(s_send_rdma);
 	rm->m_rdma_op = op;
-	return 0;
+out:
+	return ret;
 }
 
 /*
-- 
1.7.0.4