Dapper SRU, CVE-2010-3859

Brad Figg brad.figg at canonical.com
Fri Jan 28 16:16:54 UTC 2011 

On 01/27/2011 02:15 PM, Tim Gardner wrote:
> The following changes since commit 935dc7c143df82eed4efe22af6f5d54a9e63e42d:
>    Dan Rosenberg (1):
>          drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory, CVE-2010-4078
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/rtg/ubuntu-dapper.git CVE-2010-3859
>
> David S. Miller (1):
>        net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859
>
> Tim Gardner (1):
>        net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
>
>   net/compat.c     |    4 ++++
>   net/core/iovec.c |   15 +++++++--------
>   net/socket.c     |    6 ++++++
>   3 files changed, 17 insertions(+), 8 deletions(-)
>
>  From 56dbc8e48a729838dc4e625bdc00f594d06690cd Mon Sep 17 00:00:00 2001
> From: Tim Gardner<tim.gardner at canonical.com>
> Date: Thu, 27 Jan 2011 13:57:38 -0700
> Subject: [PATCH 1/2] net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
>
> BugLink: http://bugs/launchpad.net/bugs/708839
>
> CVE-2010-3859
>
> Backported from commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream.
> Stable backported to 2.6.32.26
>
> Signed-off-by: Linus Torvalds<torvalds at linux-foundation.org>
> Signed-off-by: David S. Miller<davem at davemloft.net>
> Signed-off-by: Greg Kroah-Hartman<gregkh at suse.de>
> Signed-off-by: Tim Gardner<tim.gardner at canonical.com>
> ---
>   net/socket.c |    6 ++++++
>   1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/net/socket.c b/net/socket.c
> index 6e57b95..8de4725 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -1522,6 +1522,9 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
>   	struct msghdr msg;
>   	struct iovec iov;
>   	
> +	if (len>  INT_MAX)
> +		len = INT_MAX;
> +
>   	sock = sockfd_lookup(fd,&err);
>   	if (!sock)
>   		goto out;
> @@ -1578,6 +1581,9 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
>   	char address[MAX_SOCK_ADDR];
>   	int err,err2;
>
> +	if (size>  INT_MAX)
> +		size = INT_MAX;
> +
>   	sock = sockfd_lookup(fd,&err);
>   	if (!sock)
>   		goto out;

Acked-by: Brad Figg <brad.figg at canonical.com>

-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com

More information about the kernel-team mailing list