[PATCH 0/1] [CVE-2012-3430] [QUANTAL] [PRECISE] [ONEIRIC] [NATTY] [LUCID] rds: set correct msg_namelen
Brad Figg
brad.figg at canonical.com
Wed Aug 15 19:39:50 UTC 2012
CVE-2012-2340
BugLink: http://bugs.launchpad.net/bugs/1031112
Jay Fenlason (fenlason at redhat.com) found a bug,
that recvfrom() on an RDS socket can return the contents of random kernel
memory to userspace if it was called with a address length larger than
sizeof(struct sockaddr_in).
rds_recvmsg() also fails to set the addr_len paramater properly before
returning, but that's just a bug.
There are also a number of cases wher recvfrom() can return an entirely bogus
address. Anything in rds_recvmsg() that returns a non-negative value but does
not go through the "sin = (struct sockaddr_in *)msg->msg_name;" code path
at the end of the while(1) loop will return up to 128 bytes of kernel memory
to userspace.
Weiping Pan (1):
rds: set correct msg_namelen
net/rds/recv.c | 3 +++
1 file changed, 3 insertions(+)
--
1.7.9.5
More information about the kernel-team
mailing list