[Karmic] [CVE-2010-4175] [PATCH 01/01] rds: Integer overflow in RDS cmsg handling, CVE-2010-4175
Brad Figg
brad.figg at canonical.com
Wed Feb 23 16:55:05 UTC 2011
From: Dan Rosenberg <drosenberg at vsecurity.com>
CVE-2010-4175
BugLink: http://bugs.launchpad.net/bugs/721455
In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX. This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation. This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value. If it somehow doesn't crash here, then memory
corruption could occur soon after.
Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(backport of upstream commit 218854af84038d828a32f061858b1902ed2beec6)
Signed-off-by: Brad Figg <brad.figg at canonical.com>
---
net/rds/rdma.c | 24 +++++++++++++++++++-----
1 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index aa3befb..fa2ab42 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -616,18 +616,32 @@ out:
int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
struct cmsghdr *cmsg)
{
+ struct rds_rdma_args *args;
struct rds_rdma_op *op;
+ int ret = 0;
if (cmsg->cmsg_len < CMSG_LEN(sizeof(struct rds_rdma_args))
- || rm->m_rdma_op != NULL)
- return -EINVAL;
+ || rm->m_rdma_op != NULL) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+ args = CMSG_DATA(cmsg);
+
+ if (args->nr_local > UIO_MAXIOV) {
+ ret = -EMSGSIZE;
+ goto out;
+ }
op = rds_rdma_prepare(rs, CMSG_DATA(cmsg));
- if (IS_ERR(op))
- return PTR_ERR(op);
+ if (IS_ERR(op)) {
+ ret = PTR_ERR(op);
+ goto out;
+ }
rds_stats_inc(s_send_rdma);
rm->m_rdma_op = op;
- return 0;
+out:
+ return ret;
}
/*
--
1.7.0.4
More information about the kernel-team
mailing list