APPLIED: [CVE-2018-5332][T/X/A][SRU][PATCH 1/1] RDS: Heap OOB write in rds_message_alloc_sgs()
Khaled Elmously
khalid.elmously at canonical.com
Thu Mar 1 15:29:02 UTC 2018
ack!
Just FYI, this patch _has_ been applied to all its targets. I'm not sure why I said "Applied to artful and xenial". I should have said "Applied to artful and xenial and trusty" or just "applied".
Thanks
Khaled
On 2018-03-01 12:40:01 , Kleber Sacilotto wrote:
> Hi Khaled,
>
> When partially applying a patch, i.e. applying it to a subset of the
> series that that patch or patch set is targeted for, please include the
> applied series on the email subject. For example in this case:
>
> APPLIED[A/X]: [CVE-2018-5332][T/X/A][SRU][PATCH 1/1] ...
>
> This helps us identify to which series the patch is still needed and
> avoid it falling through the cracks.
>
> Thanks,
> Kleber
>
> On 02/17/18 05:39, Khaled Elmously wrote:
> > Applied to artful and xenial
> >
> > On 2018-01-23 15:54:18 , Po-Hsu Lin wrote:
> >> From: Mohamed Ghannam <simo.ghannam at gmail.com>
> >>
> >> CVE-2018-5332
> >>
> >> When args->nr_local is 0, nr_pages gets also 0 due some size
> >> calculation via rds_rm_size(), which is later used to allocate
> >> pages for DMA, this bug produces a heap Out-Of-Bound write access
> >> to a specific memory region.
> >>
> >> Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
> >> Signed-off-by: David S. Miller <davem at davemloft.net>
> >> (cherry picked from commit c095508770aebf1b9218e77026e48345d719b17c)
> >> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
> >> ---
> >> net/rds/rdma.c | 3 +++
> >> 1 file changed, 3 insertions(+)
> >>
> >> diff --git a/net/rds/rdma.c b/net/rds/rdma.c
> >> index 8d3a851..c7b7590 100644
> >> --- a/net/rds/rdma.c
> >> +++ b/net/rds/rdma.c
> >> @@ -517,6 +517,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
> >>
> >> local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;
> >>
> >> + if (args->nr_local == 0)
> >> + return -EINVAL;
> >> +
> >> /* figure out the number of pages in the vector */
> >> for (i = 0; i < args->nr_local; i++) {
> >> if (copy_from_user(&vec, &local_vec[i],
> >> --
> >> 2.7.4
> >>
> >>
> >> --
> >> kernel-team mailing list
> >> kernel-team at lists.ubuntu.com
> >> https://lists.ubuntu.com/mailman/listinfo/kernel-team
> >
More information about the kernel-team
mailing list