[PATCH 1/1] [LUCID] [NATTY] [ONEIRIC] [PRECISE] [CVE-2012-2136] net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()
Brad Figg
brad.figg at canonical.com
Wed Jul 11 19:42:13 UTC 2012
From: Jason Wang <jasowang at redhat.com>
CVE-2012-2136
BugLink: http://bugs.launchpad.net/bugs/1006622
We need to validate the number of pages consumed by data_len, otherwise frags
array could be overflowed by userspace. So this patch validate data_len and
return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.
Signed-off-by: Jason Wang <jasowang at redhat.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc)
Signed-off-by: Brad Figg <brad.figg at canonical.com>
---
net/core/sock.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/core/sock.c b/net/core/sock.c
index b4943d0..9867b03 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1400,6 +1400,11 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
gfp_t gfp_mask;
long timeo;
int err;
+ int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+
+ err = -EMSGSIZE;
+ if (npages > MAX_SKB_FRAGS)
+ goto failure;
gfp_mask = sk->sk_allocation;
if (gfp_mask & __GFP_WAIT)
@@ -1418,14 +1423,12 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
skb = alloc_skb(header_len, gfp_mask);
if (skb) {
- int npages;
int i;
/* No pages, we're done... */
if (!data_len)
break;
- npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
skb->truesize += data_len;
skb_shinfo(skb)->nr_frags = npages;
for (i = 0; i < npages; i++) {
--
1.7.9.5
More information about the kernel-team
mailing list