Karmic SRU, CVE-2010-3859

Fri Jan 28 09:43:52 UTC 2011

Looks to be following the upstream change (minus the change of the variable from
long to int).

On 01/27/2011 10:19 PM, Tim Gardner wrote:
> The following changes since commit 8f57f1af10280643dcfda5da7233be6bc211dad5:
>   Tim Gardner (1):
>         Karmic SRU: thinkpad-acpi: lock down video output state access, CVE-2010-3448
> 
> are available in the git repository at:
> 
>   git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-3859
> 
> David S. Miller (1):
>       net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859
> 
> Linus Torvalds (1):
>       net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
> 
>  net/compat.c     |   10 ++++++----
>  net/core/iovec.c |   15 +++++++--------
>  net/socket.c     |    4 ++++
>  3 files changed, 17 insertions(+), 12 deletions(-)
> 
> From 6f26927146d324dacc6b62e7e45f7c1e9d957760 Mon Sep 17 00:00:00 2001
> From: David S. Miller <davem at davemloft.net>
> Date: Thu, 28 Oct 2010 11:41:55 -0700
> Subject: [PATCH 1/2] net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859
> 
> BugLink: http://bugs.launchpad.net/bugs/708839
> 
> CVE-2010-3859
> 
> commit 8acfe468b0384e834a303f08ebc4953d72fb690a upstream.
> Backported as far as 2.6.23.26
> 
> This helps protect us from overflow issues down in the
> individual protocol sendmsg/recvmsg handlers.  Once
> we hit INT_MAX we truncate out the rest of the iovec
> by setting the iov_len members to zero.
> 
> This works because:
> 
> 1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
>    writes are allowed and the application will just continue
>    with another write to send the rest of the data.
> 
> 2) For datagram oriented sockets, where there must be a
>    one-to-one correspondance between write() calls and
>    packets on the wire, INT_MAX is going to be far larger
>    than the packet size limit the protocol is going to
>    check for and signal with -EMSGSIZE.
> 
> Based upon a patch by Linus Torvalds.
> 
> Signed-off-by: David S. Miller <davem at davemloft.net>
> Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  net/compat.c     |   10 ++++++----
>  net/core/iovec.c |   15 +++++++--------
>  2 files changed, 13 insertions(+), 12 deletions(-)
> 
> diff --git a/net/compat.c b/net/compat.c
> index 8d73905..2a2659b 100644
> --- a/net/compat.c
> +++ b/net/compat.c
> @@ -40,10 +40,12 @@ static inline int iov_from_user_compat_to_kern(struct iovec *kiov,
>  		compat_size_t len;
>  
>  		if (get_user(len, &uiov32->iov_len) ||
> -		   get_user(buf, &uiov32->iov_base)) {
> -			tot_len = -EFAULT;
> -			break;
> -		}
> +		    get_user(buf, &uiov32->iov_base))
> +			return -EFAULT;
> +
> +		if (len > INT_MAX - tot_len)
> +			len = INT_MAX - tot_len;
> +
>  		tot_len += len;
>  		kiov->iov_base = compat_ptr(buf);
>  		kiov->iov_len = (__kernel_size_t) len;
> diff --git a/net/core/iovec.c b/net/core/iovec.c
> index 16ad45d..b6a4780 100644
> --- a/net/core/iovec.c
> +++ b/net/core/iovec.c
> @@ -60,14 +60,13 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address,
>  	err = 0;
>  
>  	for (ct = 0; ct < m->msg_iovlen; ct++) {
> -		err += iov[ct].iov_len;
> -		/*
> -		 * Goal is not to verify user data, but to prevent returning
> -		 * negative value, which is interpreted as errno.
> -		 * Overflow is still possible, but it is harmless.
> -		 */
> -		if (err < 0)
> -			return -EMSGSIZE;
> +		size_t len = iov[ct].iov_len;
> +
> +		if (len > INT_MAX - err) {
> +			len = INT_MAX - err;
> +			iov[ct].iov_len = len;
> +		}
> +		err += len;
>  	}
>  
>  	return err;