Dapper SRU, CVE-2010-3859
Stefan Bader
stefan.bader at canonical.com
Fri Jan 28 09:51:17 UTC 2011
On 01/27/2011 11:15 PM, Tim Gardner wrote:
> The following changes since commit 935dc7c143df82eed4efe22af6f5d54a9e63e42d:
> Dan Rosenberg (1):
> drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory, CVE-2010-4078
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/rtg/ubuntu-dapper.git CVE-2010-3859
>
> David S. Miller (1):
> net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859
>
> Tim Gardner (1):
> net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
>
> net/compat.c | 4 ++++
> net/core/iovec.c | 15 +++++++--------
> net/socket.c | 6 ++++++
> 3 files changed, 17 insertions(+), 8 deletions(-)
>
> From 56dbc8e48a729838dc4e625bdc00f594d06690cd Mon Sep 17 00:00:00 2001
> From: Tim Gardner <tim.gardner at canonical.com>
> Date: Thu, 27 Jan 2011 13:57:38 -0700
> Subject: [PATCH 1/2] net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
>
> BugLink: http://bugs/launchpad.net/bugs/708839
^
bugs. not bugs/
Seems to go into the same direction, but how does one find out. (Just interest)
>
> CVE-2010-3859
>
> Backported from commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream.
> Stable backported to 2.6.32.26
>
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
> net/socket.c | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/net/socket.c b/net/socket.c
> index 6e57b95..8de4725 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -1522,6 +1522,9 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
> struct msghdr msg;
> struct iovec iov;
>
> + if (len > INT_MAX)
> + len = INT_MAX;
> +
> sock = sockfd_lookup(fd, &err);
> if (!sock)
> goto out;
> @@ -1578,6 +1581,9 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
> char address[MAX_SOCK_ADDR];
> int err,err2;
>
> + if (size > INT_MAX)
> + size = INT_MAX;
> +
> sock = sockfd_lookup(fd, &err);
> if (!sock)
> goto out;
More information about the kernel-team
mailing list