Karmic SRU, CVE-2010-3859

Brad Figg brad.figg at canonical.com
Fri Jan 28 16:16:07 UTC 2011 

On 01/27/2011 01:19 PM, Tim Gardner wrote:
> The following changes since commit 8f57f1af10280643dcfda5da7233be6bc211dad5:
>    Tim Gardner (1):
>          Karmic SRU: thinkpad-acpi: lock down video output state access, CVE-2010-3448
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-3859
>
> David S. Miller (1):
>        net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859
>
> Linus Torvalds (1):
>        net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
>
>   net/compat.c     |   10 ++++++----
>   net/core/iovec.c |   15 +++++++--------
>   net/socket.c     |    4 ++++
>   3 files changed, 17 insertions(+), 12 deletions(-)
>
>  From 6f26927146d324dacc6b62e7e45f7c1e9d957760 Mon Sep 17 00:00:00 2001
> From: David S. Miller<davem at davemloft.net>
> Date: Thu, 28 Oct 2010 11:41:55 -0700
> Subject: [PATCH 1/2] net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859
>
> BugLink: http://bugs.launchpad.net/bugs/708839
>
> CVE-2010-3859
>
> commit 8acfe468b0384e834a303f08ebc4953d72fb690a upstream.
> Backported as far as 2.6.23.26
>
> This helps protect us from overflow issues down in the
> individual protocol sendmsg/recvmsg handlers.  Once
> we hit INT_MAX we truncate out the rest of the iovec
> by setting the iov_len members to zero.
>
> This works because:
>
> 1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
>     writes are allowed and the application will just continue
>     with another write to send the rest of the data.
>
> 2) For datagram oriented sockets, where there must be a
>     one-to-one correspondance between write() calls and
>     packets on the wire, INT_MAX is going to be far larger
>     than the packet size limit the protocol is going to
>     check for and signal with -EMSGSIZE.
>
> Based upon a patch by Linus Torvalds.
>
> Signed-off-by: David S. Miller<davem at davemloft.net>
> Signed-off-by: Greg Kroah-Hartman<gregkh at suse.de>
> Signed-off-by: Tim Gardner<tim.gardner at canonical.com>
> ---
>   net/compat.c     |   10 ++++++----
>   net/core/iovec.c |   15 +++++++--------
>   2 files changed, 13 insertions(+), 12 deletions(-)
>
> diff --git a/net/compat.c b/net/compat.c
> index 8d73905..2a2659b 100644
> --- a/net/compat.c
> +++ b/net/compat.c
> @@ -40,10 +40,12 @@ static inline int iov_from_user_compat_to_kern(struct iovec *kiov,
>   		compat_size_t len;
>
>   		if (get_user(len,&uiov32->iov_len) ||
> -		   get_user(buf,&uiov32->iov_base)) {
> -			tot_len = -EFAULT;
> -			break;
> -		}
> +		    get_user(buf,&uiov32->iov_base))
> +			return -EFAULT;
> +
> +		if (len>  INT_MAX - tot_len)
> +			len = INT_MAX - tot_len;
> +
>   		tot_len += len;
>   		kiov->iov_base = compat_ptr(buf);
>   		kiov->iov_len = (__kernel_size_t) len;
> diff --git a/net/core/iovec.c b/net/core/iovec.c
> index 16ad45d..b6a4780 100644
> --- a/net/core/iovec.c
> +++ b/net/core/iovec.c
> @@ -60,14 +60,13 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address,
>   	err = 0;
>
>   	for (ct = 0; ct<  m->msg_iovlen; ct++) {
> -		err += iov[ct].iov_len;
> -		/*
> -		 * Goal is not to verify user data, but to prevent returning
> -		 * negative value, which is interpreted as errno.
> -		 * Overflow is still possible, but it is harmless.
> -		 */
> -		if (err<  0)
> -			return -EMSGSIZE;
> +		size_t len = iov[ct].iov_len;
> +
> +		if (len>  INT_MAX - err) {
> +			len = INT_MAX - err;
> +			iov[ct].iov_len = len;
> +		}
> +		err += len;
>   	}
>
>   	return err;

Acked-by: Brad Figg <brad.figg at canonical.com>

-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com

More information about the kernel-team mailing list