APPLIED: [CVE-2018-5332][T/X/A][SRU][PATCH 1/1] RDS: Heap OOB write in rds_message_alloc_sgs()

Kleber Souza kleber.souza at canonical.com
Thu Mar 1 11:40:01 UTC 2018


Hi Khaled,

When partially applying a patch, i.e. applying it to a subset of the
series that that patch or patch set is targeted for, please include the
applied series on the email subject. For example in this case:

APPLIED[A/X]: [CVE-2018-5332][T/X/A][SRU][PATCH 1/1] ...

This helps us identify to which series the patch is still needed and
avoid it falling through the cracks.

Thanks,
Kleber

On 02/17/18 05:39, Khaled Elmously wrote:
> Applied to artful and xenial
> 
> On 2018-01-23 15:54:18 , Po-Hsu Lin wrote:
>> From: Mohamed Ghannam <simo.ghannam at gmail.com>
>>
>> CVE-2018-5332
>>
>> When args->nr_local is 0, nr_pages gets also 0 due some size
>> calculation via rds_rm_size(), which is later used to allocate
>> pages for DMA, this bug produces a heap Out-Of-Bound write access
>> to a specific memory region.
>>
>> Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
>> Signed-off-by: David S. Miller <davem at davemloft.net>
>> (cherry picked from commit c095508770aebf1b9218e77026e48345d719b17c)
>> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
>> ---
>>  net/rds/rdma.c | 3 +++
>>  1 file changed, 3 insertions(+)
>>
>> diff --git a/net/rds/rdma.c b/net/rds/rdma.c
>> index 8d3a851..c7b7590 100644
>> --- a/net/rds/rdma.c
>> +++ b/net/rds/rdma.c
>> @@ -517,6 +517,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
>>  
>>  	local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;
>>  
>> +	if (args->nr_local == 0)
>> +		return -EINVAL;
>> +
>>  	/* figure out the number of pages in the vector */
>>  	for (i = 0; i < args->nr_local; i++) {
>>  		if (copy_from_user(&vec, &local_vec[i],
>> -- 
>> 2.7.4
>>
>>
>> -- 
>> kernel-team mailing list
>> kernel-team at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
> 




More information about the kernel-team mailing list