ACK: [CVE-2018-5332][T/X/A][SRU][PATCH 1/1] RDS: Heap OOB write in rds_message_alloc_sgs()
Khaled Elmously
khalid.elmously at canonical.com
Tue Jan 30 16:25:55 UTC 2018
On 2018-01-23 15:54:18 , Po-Hsu Lin wrote:
> From: Mohamed Ghannam <simo.ghannam at gmail.com>
>
> CVE-2018-5332
>
> When args->nr_local is 0, nr_pages gets also 0 due some size
> calculation via rds_rm_size(), which is later used to allocate
> pages for DMA, this bug produces a heap Out-Of-Bound write access
> to a specific memory region.
>
> Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit c095508770aebf1b9218e77026e48345d719b17c)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
> ---
> net/rds/rdma.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/rds/rdma.c b/net/rds/rdma.c
> index 8d3a851..c7b7590 100644
> --- a/net/rds/rdma.c
> +++ b/net/rds/rdma.c
> @@ -517,6 +517,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
>
> local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;
>
> + if (args->nr_local == 0)
> + return -EINVAL;
> +
> /* figure out the number of pages in the vector */
> for (i = 0; i < args->nr_local; i++) {
> if (copy_from_user(&vec, &local_vec[i],
Acked-by: Khalid Elmously <khalid.elmously at canonical.com>
More information about the kernel-team
mailing list