rds: Integer overflow in RDS cmsg handling, CVE-2010-4175
On 02/23/2011 09:55 AM, Brad Figg wrote:
From: Dan Rosenberg<drosenberg@vsecurity.com> CVE-2010-4175 BugLink: http://bugs.launchpad.net/bugs/721455 In rds_cmsg_rdma_args(), the user-provided args->nr_local value is restricted to less than UINT_MAX. This seems to need a tighter upper bound, since the calculation of total iov_size can overflow, resulting in a small sock_kmalloc() allocation. This would probably just result in walking off the heap and crashing when calling rds_rdma_pages() with a high count value. If it somehow doesn't crash here, then memory corruption could occur soon after. Signed-off-by: Dan Rosenberg<drosenberg@vsecurity.com> Signed-off-by: David S. Miller<davem@davemloft.net> (backport of upstream commit 218854af84038d828a32f061858b1902ed2beec6) Signed-off-by: Brad Figg<brad.figg@canonical.com> --- net/rds/rdma.c | 24 +++++++++++++++++++----- 1 files changed, 19 insertions(+), 5 deletions(-) diff --git a/net/rds/rdma.c b/net/rds/rdma.c index aa3befb..fa2ab42 100644 --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -616,18 +616,32 @@ out: int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm, struct cmsghdr *cmsg) { + struct rds_rdma_args *args; struct rds_rdma_op *op; + int ret = 0; if (cmsg->cmsg_len< CMSG_LEN(sizeof(struct rds_rdma_args)) - || rm->m_rdma_op != NULL) - return -EINVAL; + || rm->m_rdma_op != NULL) { + ret = -EINVAL; + goto out; + } + + args = CMSG_DATA(cmsg); + + if (args->nr_local> UIO_MAXIOV) { + ret = -EMSGSIZE; + goto out; + } op = rds_rdma_prepare(rs, CMSG_DATA(cmsg)); - if (IS_ERR(op)) - return PTR_ERR(op); + if (IS_ERR(op)) { + ret = PTR_ERR(op); + goto out; + } rds_stats_inc(s_send_rdma); rm->m_rdma_op = op; - return 0; +out: + return ret; } /* Acked-by: Tim Gardner <tim.gardner@canonical.com> -- Tim Gardner tim.gardner@canonical.com -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
rds: Integer overflow in RDS cmsg handling, CVE-2010-4175
On 02/23/2011 09:55 AM, Brad Figg wrote:
From: Dan Rosenberg<drosenberg@vsecurity.com> CVE-2010-4175 BugLink: http://bugs.launchpad.net/bugs/721455 In rds_cmsg_rdma_args(), the user-provided args->nr_local value is restricted to less than UINT_MAX. This seems to need a tighter upper bound, since the calculation of total iov_size can overflow, resulting in a small sock_kmalloc() allocation. This would probably just result in walking off the heap and crashing when calling rds_rdma_pages() with a high count value. If it somehow doesn't crash here, then memory corruption could occur soon after. Signed-off-by: Dan Rosenberg<drosenberg@vsecurity.com> Signed-off-by: David S. Miller<davem@davemloft.net> (backport of upstream commit 218854af84038d828a32f061858b1902ed2beec6) Signed-off-by: Brad Figg<brad.figg@canonical.com> --- net/rds/rdma.c | 24 +++++++++++++++++++----- 1 files changed, 19 insertions(+), 5 deletions(-) diff --git a/net/rds/rdma.c b/net/rds/rdma.c index e2ccf7b..f95cf32 100644 --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -643,18 +643,32 @@ out: int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm, struct cmsghdr *cmsg) { + struct rds_rdma_args *args; struct rds_rdma_op *op; + int ret = 0; if (cmsg->cmsg_len< CMSG_LEN(sizeof(struct rds_rdma_args)) || - rm->m_rdma_op != NULL) - return -EINVAL; + rm->m_rdma_op != NULL) { + ret = -EINVAL; + goto out; + } + + args = CMSG_DATA(cmsg); + + if (args->nr_local> UIO_MAXIOV) { + ret = -EMSGSIZE; + goto out; + } op = rds_rdma_prepare(rs, CMSG_DATA(cmsg)); - if (IS_ERR(op)) - return PTR_ERR(op); + if (IS_ERR(op)) { + ret = PTR_ERR(op); + goto out; + } rds_stats_inc(s_send_rdma); rm->m_rdma_op = op; - return 0; +out: + return ret; } /* Acked-by: Tim Gardner <tim.gardner@canonical.com> -- Tim Gardner tim.gardner@canonical.com -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
rds: Integer overflow in RDS cmsg handling, CVE-2010-4175
On 02/23/2011 08:55 AM, Brad Figg wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com> > > CVE-2010-4175 > > BugLink: http://bugs.launchpad.net/bugs/721455 > > In rds_cmsg_rdma_args(), the user-provided args->nr_local value is > restricted to less than UINT_MAX. This seems to need a tighter upper > bound, since the calculation of total iov_size can overflow, resulting > in a small sock_kmalloc() allocation. This would probably just result > in walking off the heap and crashing when calling rds_rdma_pages() with > a high count value. If it somehow doesn't crash here, then memory > corruption could occur soon after. > > Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > > (backport of upstream commit 218854af84038d828a32f061858b1902ed2beec6) > Signed-off-by: Brad Figg <brad.figg@canonical.com> > --- > net/rds/rdma.c | 24 +++++++++++++++++++----- > 1 files changed, 19 insertions(+), 5 deletions(-) > > diff --git a/net/rds/rdma.c b/net/rds/rdma.c > index e2ccf7b..f95cf32 100644 > --- a/net/rds/rdma.c > +++ b/net/rds/rdma.c > @@ -643,18 +643,32 @@ out: > int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm, > struct cmsghdr *cmsg) > { > + struct rds_rdma_args *args; > struct rds_rdma_op *op; > + int ret = 0; > > if (cmsg->cmsg_len < CMSG_LEN(sizeof(struct rds_rdma_args)) || > - rm->m_rdma_op != NULL) > - return -EINVAL; > + rm->m_rdma_op != NULL) { > + ret = -EINVAL; > + goto out; > + } > + > + args = CMSG_DATA(cmsg); > + > + if (args->nr_local > UIO_MAXIOV) { > + ret = -EMSGSIZE; > + goto out; > + } > > op = rds_rdma_prepare(rs, CMSG_DATA(cmsg)); > - if (IS_ERR(op)) > - return PTR_ERR(op); > + if (IS_ERR(op)) { > + ret = PTR_ERR(op); > + goto out; > + } > rds_stats_inc(s_send_rdma); > rm->m_rdma_op = op; > - return 0; > +out: > + return ret; > } > > /* Acked-by: John Johansen <john.johansen@canonical.com> -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
rds: Integer overflow in RDS cmsg handling, CVE-2010-4175
On 02/23/2011 08:55 AM, Brad Figg wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com> > > CVE-2010-4175 > > BugLink: http://bugs.launchpad.net/bugs/721455 > > In rds_cmsg_rdma_args(), the user-provided args->nr_local value is > restricted to less than UINT_MAX. This seems to need a tighter upper > bound, since the calculation of total iov_size can overflow, resulting > in a small sock_kmalloc() allocation. This would probably just result > in walking off the heap and crashing when calling rds_rdma_pages() with > a high count value. If it somehow doesn't crash here, then memory > corruption could occur soon after. > > Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > > (backport of upstream commit 218854af84038d828a32f061858b1902ed2beec6) > Signed-off-by: Brad Figg <brad.figg@canonical.com> > --- > net/rds/rdma.c | 24 +++++++++++++++++++----- > 1 files changed, 19 insertions(+), 5 deletions(-) > > diff --git a/net/rds/rdma.c b/net/rds/rdma.c > index aa3befb..fa2ab42 100644 > --- a/net/rds/rdma.c > +++ b/net/rds/rdma.c > @@ -616,18 +616,32 @@ out: > int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm, > struct cmsghdr *cmsg) > { > + struct rds_rdma_args *args; > struct rds_rdma_op *op; > + int ret = 0; > > if (cmsg->cmsg_len < CMSG_LEN(sizeof(struct rds_rdma_args)) > - || rm->m_rdma_op != NULL) > - return -EINVAL; > + || rm->m_rdma_op != NULL) { > + ret = -EINVAL; > + goto out; > + } > + > + args = CMSG_DATA(cmsg); > + > + if (args->nr_local > UIO_MAXIOV) { > + ret = -EMSGSIZE; > + goto out; > + } > > op = rds_rdma_prepare(rs, CMSG_DATA(cmsg)); > - if (IS_ERR(op)) > - return PTR_ERR(op); > + if (IS_ERR(op)) { > + ret = PTR_ERR(op); > + goto out; > + } > rds_stats_inc(s_send_rdma); > rm->m_rdma_op = op; > - return 0; > +out: > + return ret; > } > > /* Acked-by: John Johansen <john.johansen@canonical.com> -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
rds: Integer overflow in RDS cmsg handling, CVE-2010-4175
applied
-- Tim Gardner tim.gardner@canonical.com -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
rds: Integer overflow in RDS cmsg handling, CVE-2010-4175
applied
-- Tim Gardner tim.gardner@canonical.com -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
| All times are GMT. The time now is 10:52 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.