FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 01-28-2011, 01:36 PM
Stefan Bader
 
Default Karmic, Lucid, Maverick: SRU: CVE-2010-3865

Code has changed reasonable since Maverick but same patch applies to
all older affected releases.
 
Old 01-28-2011, 02:01 PM
Tim Gardner
 
Default Karmic, Lucid, Maverick: SRU: CVE-2010-3865

On 01/28/2011 07:36 AM, Stefan Bader wrote:

Code has changed reasonable since Maverick but same patch applies to
all older affected releases.

From 2a8309b4f615072025743fae22147be5aa8e86cd Mon Sep 17 00:00:00 2001
From: Linus Torvalds<torvalds@linux-foundation.org>
Date: Thu, 28 Oct 2010 15:40:55 +0000
Subject: [PATCH] net: fix rds_iovec page count overflow

BugLink: http://bugs.launchpad.net/bugs/709153
CVE-2010-3865

As reported by Thomas Pollet, the rdma page counting can overflow. We
get the rdma sizes in 64-bit unsigned entities, but then limit it to
UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
an unaligned address).

So each individual page count fits comfortably in an 'unsigned int' (not
even close to overflowing into signed), but as they are added up, they
might end up resulting in a signed return value. Which would be wrong.

Catch the case of tot_pages turning negative, and return the appropriate
error code.

Reported-by: Thomas Pollet<thomas.pollet@gmail.com>
Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
Signed-off-by: Andy Grover<andy.grover@oracle.com>
Signed-off-by: David S. Miller<davem@davemloft.net>
(backported from commit 1b1f693d7ad6d193862dcb1118540a030c5e761f upstream)
Signed-off-by: Stefan Bader<stefan.bader@canonical.com>
---
net/rds/rdma.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 3998967..0a403a7 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -500,6 +500,16 @@ static struct rds_rdma_op *rds_rdma_prepare(struct rds_sock *rs,

max_pages = max(nr, max_pages);
nr_pages += nr;
+
+ /*
+ * nr for one entry in limited to (UINT_MAX>>PAGE_SHIFT)+1
+ * so nr_pages cannot overflow without first going negative.
+ * If nr cannot overflow then max_pages should be ok.
+ */
+ if (nr_pages< 0) {
+ ret = -EINVAL;
+ goto out;
+ }
}

pages = kcalloc(max_pages, sizeof(struct page *), GFP_KERNEL);


I'm kind of uncomfortable comparing an 'unsigned int' against 0. IIRC
the results are somewhat compiler dependent. Wouldn't it be clearer if
it was 'if (nr_pages >= INT_MAX)' ?


rtg
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 01-28-2011, 02:12 PM
Stefan Bader
 
Default Karmic, Lucid, Maverick: SRU: CVE-2010-3865

This is a multi-part message in MIME format.On 01/28/2011 04:01 PM, Tim Gardner wrote:
> On 01/28/2011 07:36 AM, Stefan Bader wrote:
>> Code has changed reasonable since Maverick but same patch applies to
>> all older affected releases.
>>
>> From 2a8309b4f615072025743fae22147be5aa8e86cd Mon Sep 17 00:00:00 2001
>> From: Linus Torvalds<torvalds@linux-foundation.org>
>> Date: Thu, 28 Oct 2010 15:40:55 +0000
>> Subject: [PATCH] net: fix rds_iovec page count overflow
>>
>> BugLink: http://bugs.launchpad.net/bugs/709153
>> CVE-2010-3865
>>
>> As reported by Thomas Pollet, the rdma page counting can overflow. We
>> get the rdma sizes in 64-bit unsigned entities, but then limit it to
>> UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
>> an unaligned address).
>>
>> So each individual page count fits comfortably in an 'unsigned int' (not
>> even close to overflowing into signed), but as they are added up, they
>> might end up resulting in a signed return value. Which would be wrong.
>>
>> Catch the case of tot_pages turning negative, and return the appropriate
>> error code.
>>
>> Reported-by: Thomas Pollet<thomas.pollet@gmail.com>
>> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
>> Signed-off-by: Andy Grover<andy.grover@oracle.com>
>> Signed-off-by: David S. Miller<davem@davemloft.net>
>> (backported from commit 1b1f693d7ad6d193862dcb1118540a030c5e761f upstream)
>> Signed-off-by: Stefan Bader<stefan.bader@canonical.com>
>> ---
>> net/rds/rdma.c | 10 ++++++++++
>> 1 files changed, 10 insertions(+), 0 deletions(-)
>>
>> diff --git a/net/rds/rdma.c b/net/rds/rdma.c
>> index 3998967..0a403a7 100644
>> --- a/net/rds/rdma.c
>> +++ b/net/rds/rdma.c
>> @@ -500,6 +500,16 @@ static struct rds_rdma_op *rds_rdma_prepare(struct
>> rds_sock *rs,
>>
>> max_pages = max(nr, max_pages);
>> nr_pages += nr;
>> +
>> + /*
>> + * nr for one entry in limited to (UINT_MAX>>PAGE_SHIFT)+1
>> + * so nr_pages cannot overflow without first going negative.
>> + * If nr cannot overflow then max_pages should be ok.
>> + */
>> + if (nr_pages< 0) {
>> + ret = -EINVAL;
>> + goto out;
>> + }
>> }
>>
>> pages = kcalloc(max_pages, sizeof(struct page *), GFP_KERNEL);
>
> I'm kind of uncomfortable comparing an 'unsigned int' against 0. IIRC the
> results are somewhat compiler dependent. Wouldn't it be clearer if it was 'if
> (nr_pages >= INT_MAX)' ?
>
> rtg

Likely better. Just made it >INT_MAX (though that should not make that much
difference).
 
Old 01-28-2011, 02:31 PM
Tim Gardner
 
Default Karmic, Lucid, Maverick: SRU: CVE-2010-3865

On 01/28/2011 08:12 AM, Stefan Bader wrote:

On 01/28/2011 04:01 PM, Tim Gardner wrote:

On 01/28/2011 07:36 AM, Stefan Bader wrote:

Code has changed reasonable since Maverick but same patch applies to
all older affected releases.

From 2a8309b4f615072025743fae22147be5aa8e86cd Mon Sep 17 00:00:00 2001
From: Linus Torvalds<torvalds@linux-foundation.org>
Date: Thu, 28 Oct 2010 15:40:55 +0000
Subject: [PATCH] net: fix rds_iovec page count overflow

BugLink: http://bugs.launchpad.net/bugs/709153
CVE-2010-3865

As reported by Thomas Pollet, the rdma page counting can overflow. We
get the rdma sizes in 64-bit unsigned entities, but then limit it to
UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
an unaligned address).

So each individual page count fits comfortably in an 'unsigned int' (not
even close to overflowing into signed), but as they are added up, they
might end up resulting in a signed return value. Which would be wrong.

Catch the case of tot_pages turning negative, and return the appropriate
error code.

Reported-by: Thomas Pollet<thomas.pollet@gmail.com>
Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
Signed-off-by: Andy Grover<andy.grover@oracle.com>
Signed-off-by: David S. Miller<davem@davemloft.net>
(backported from commit 1b1f693d7ad6d193862dcb1118540a030c5e761f upstream)
Signed-off-by: Stefan Bader<stefan.bader@canonical.com>
---
net/rds/rdma.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 3998967..0a403a7 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -500,6 +500,16 @@ static struct rds_rdma_op *rds_rdma_prepare(struct
rds_sock *rs,

max_pages = max(nr, max_pages);
nr_pages += nr;
+
+ /*
+ * nr for one entry in limited to (UINT_MAX>>PAGE_SHIFT)+1
+ * so nr_pages cannot overflow without first going negative.
+ * If nr cannot overflow then max_pages should be ok.
+ */
+ if (nr_pages< 0) {
+ ret = -EINVAL;
+ goto out;
+ }
}

pages = kcalloc(max_pages, sizeof(struct page *), GFP_KERNEL);


I'm kind of uncomfortable comparing an 'unsigned int' against 0. IIRC the
results are somewhat compiler dependent. Wouldn't it be clearer if it was 'if
(nr_pages>= INT_MAX)' ?

rtg


Likely better. Just made it>INT_MAX (though that should not make that much
difference).



This change behaves as expected. See attached sample program.

Acked-by: Tim Gardner <tim.gardner@canonical.com>

rtg

--
Tim Gardner tim.gardner@canonical.com
--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 01-28-2011, 03:19 PM
Brad Figg
 
Default Karmic, Lucid, Maverick: SRU: CVE-2010-3865

On 01/28/2011 07:12 AM, Stefan Bader wrote:

On 01/28/2011 04:01 PM, Tim Gardner wrote:

On 01/28/2011 07:36 AM, Stefan Bader wrote:

Code has changed reasonable since Maverick but same patch applies to
all older affected releases.

From 2a8309b4f615072025743fae22147be5aa8e86cd Mon Sep 17 00:00:00 2001
From: Linus Torvalds<torvalds@linux-foundation.org>
Date: Thu, 28 Oct 2010 15:40:55 +0000
Subject: [PATCH] net: fix rds_iovec page count overflow

BugLink: http://bugs.launchpad.net/bugs/709153
CVE-2010-3865

As reported by Thomas Pollet, the rdma page counting can overflow. We
get the rdma sizes in 64-bit unsigned entities, but then limit it to
UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
an unaligned address).

So each individual page count fits comfortably in an 'unsigned int' (not
even close to overflowing into signed), but as they are added up, they
might end up resulting in a signed return value. Which would be wrong.

Catch the case of tot_pages turning negative, and return the appropriate
error code.

Reported-by: Thomas Pollet<thomas.pollet@gmail.com>
Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
Signed-off-by: Andy Grover<andy.grover@oracle.com>
Signed-off-by: David S. Miller<davem@davemloft.net>
(backported from commit 1b1f693d7ad6d193862dcb1118540a030c5e761f upstream)
Signed-off-by: Stefan Bader<stefan.bader@canonical.com>
---
net/rds/rdma.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 3998967..0a403a7 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -500,6 +500,16 @@ static struct rds_rdma_op *rds_rdma_prepare(struct
rds_sock *rs,

max_pages = max(nr, max_pages);
nr_pages += nr;
+
+ /*
+ * nr for one entry in limited to (UINT_MAX>>PAGE_SHIFT)+1
+ * so nr_pages cannot overflow without first going negative.
+ * If nr cannot overflow then max_pages should be ok.
+ */
+ if (nr_pages< 0) {
+ ret = -EINVAL;
+ goto out;
+ }
}

pages = kcalloc(max_pages, sizeof(struct page *), GFP_KERNEL);


I'm kind of uncomfortable comparing an 'unsigned int' against 0. IIRC the
results are somewhat compiler dependent. Wouldn't it be clearer if it was 'if
(nr_pages>= INT_MAX)' ?

rtg


Likely better. Just made it>INT_MAX (though that should not make that much
difference).




Acked-by: Brad Figg <brad.figg@canonical.com>

--
Brad Figg brad.figg@canonical.com http://www.canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 01-28-2011, 07:48 PM
Tim Gardner
 
Default Karmic, Lucid, Maverick: SRU: CVE-2010-3865

applied and pushed
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 01:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org