FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 02-23-2011, 04:45 PM
Tim Gardner
 
Default rds: Integer overflow in RDS cmsg handling, CVE-2010-4175

On 02/23/2011 09:55 AM, Brad Figg wrote:

From: Dan Rosenberg<drosenberg@vsecurity.com>

CVE-2010-4175

BugLink: http://bugs.launchpad.net/bugs/721455

In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX. This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation. This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value. If it somehow doesn't crash here, then memory
corruption could occur soon after.

Signed-off-by: Dan Rosenberg<drosenberg@vsecurity.com>
Signed-off-by: David S. Miller<davem@davemloft.net>

(backport of upstream commit 218854af84038d828a32f061858b1902ed2beec6)
Signed-off-by: Brad Figg<brad.figg@canonical.com>
---
net/rds/rdma.c | 24 +++++++++++++++++++-----
1 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index aa3befb..fa2ab42 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -616,18 +616,32 @@ out:
int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
struct cmsghdr *cmsg)
{
+ struct rds_rdma_args *args;
struct rds_rdma_op *op;
+ int ret = 0;

if (cmsg->cmsg_len< CMSG_LEN(sizeof(struct rds_rdma_args))
- || rm->m_rdma_op != NULL)
- return -EINVAL;
+ || rm->m_rdma_op != NULL) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+ args = CMSG_DATA(cmsg);
+
+ if (args->nr_local> UIO_MAXIOV) {
+ ret = -EMSGSIZE;
+ goto out;
+ }

op = rds_rdma_prepare(rs, CMSG_DATA(cmsg));
- if (IS_ERR(op))
- return PTR_ERR(op);
+ if (IS_ERR(op)) {
+ ret = PTR_ERR(op);
+ goto out;
+ }
rds_stats_inc(s_send_rdma);
rm->m_rdma_op = op;
- return 0;
+out:
+ return ret;
}

/*


Acked-by: Tim Gardner <tim.gardner@canonical.com>

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-23-2011, 04:45 PM
Tim Gardner
 
Default rds: Integer overflow in RDS cmsg handling, CVE-2010-4175

On 02/23/2011 09:55 AM, Brad Figg wrote:

From: Dan Rosenberg<drosenberg@vsecurity.com>

CVE-2010-4175

BugLink: http://bugs.launchpad.net/bugs/721455

In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX. This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation. This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value. If it somehow doesn't crash here, then memory
corruption could occur soon after.

Signed-off-by: Dan Rosenberg<drosenberg@vsecurity.com>
Signed-off-by: David S. Miller<davem@davemloft.net>

(backport of upstream commit 218854af84038d828a32f061858b1902ed2beec6)
Signed-off-by: Brad Figg<brad.figg@canonical.com>
---
net/rds/rdma.c | 24 +++++++++++++++++++-----
1 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index e2ccf7b..f95cf32 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -643,18 +643,32 @@ out:
int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
struct cmsghdr *cmsg)
{
+ struct rds_rdma_args *args;
struct rds_rdma_op *op;
+ int ret = 0;

if (cmsg->cmsg_len< CMSG_LEN(sizeof(struct rds_rdma_args)) ||
- rm->m_rdma_op != NULL)
- return -EINVAL;
+ rm->m_rdma_op != NULL) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+ args = CMSG_DATA(cmsg);
+
+ if (args->nr_local> UIO_MAXIOV) {
+ ret = -EMSGSIZE;
+ goto out;
+ }

op = rds_rdma_prepare(rs, CMSG_DATA(cmsg));
- if (IS_ERR(op))
- return PTR_ERR(op);
+ if (IS_ERR(op)) {
+ ret = PTR_ERR(op);
+ goto out;
+ }
rds_stats_inc(s_send_rdma);
rm->m_rdma_op = op;
- return 0;
+out:
+ return ret;
}

/*


Acked-by: Tim Gardner <tim.gardner@canonical.com>
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-23-2011, 07:17 PM
John Johansen
 
Default rds: Integer overflow in RDS cmsg handling, CVE-2010-4175

On 02/23/2011 08:55 AM, Brad Figg wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com>
>
> CVE-2010-4175
>
> BugLink: http://bugs.launchpad.net/bugs/721455
>
> In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
> restricted to less than UINT_MAX. This seems to need a tighter upper
> bound, since the calculation of total iov_size can overflow, resulting
> in a small sock_kmalloc() allocation. This would probably just result
> in walking off the heap and crashing when calling rds_rdma_pages() with
> a high count value. If it somehow doesn't crash here, then memory
> corruption could occur soon after.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
>
> (backport of upstream commit 218854af84038d828a32f061858b1902ed2beec6)
> Signed-off-by: Brad Figg <brad.figg@canonical.com>
> ---
> net/rds/rdma.c | 24 +++++++++++++++++++-----
> 1 files changed, 19 insertions(+), 5 deletions(-)
>
> diff --git a/net/rds/rdma.c b/net/rds/rdma.c
> index e2ccf7b..f95cf32 100644
> --- a/net/rds/rdma.c
> +++ b/net/rds/rdma.c
> @@ -643,18 +643,32 @@ out:
> int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
> struct cmsghdr *cmsg)
> {
> + struct rds_rdma_args *args;
> struct rds_rdma_op *op;
> + int ret = 0;
>
> if (cmsg->cmsg_len < CMSG_LEN(sizeof(struct rds_rdma_args)) ||
> - rm->m_rdma_op != NULL)
> - return -EINVAL;
> + rm->m_rdma_op != NULL) {
> + ret = -EINVAL;
> + goto out;
> + }
> +
> + args = CMSG_DATA(cmsg);
> +
> + if (args->nr_local > UIO_MAXIOV) {
> + ret = -EMSGSIZE;
> + goto out;
> + }
>
> op = rds_rdma_prepare(rs, CMSG_DATA(cmsg));
> - if (IS_ERR(op))
> - return PTR_ERR(op);
> + if (IS_ERR(op)) {
> + ret = PTR_ERR(op);
> + goto out;
> + }
> rds_stats_inc(s_send_rdma);
> rm->m_rdma_op = op;
> - return 0;
> +out:
> + return ret;
> }
>
> /*
Acked-by: John Johansen <john.johansen@canonical.com>


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-23-2011, 07:17 PM
John Johansen
 
Default rds: Integer overflow in RDS cmsg handling, CVE-2010-4175

On 02/23/2011 08:55 AM, Brad Figg wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com>
>
> CVE-2010-4175
>
> BugLink: http://bugs.launchpad.net/bugs/721455
>
> In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
> restricted to less than UINT_MAX. This seems to need a tighter upper
> bound, since the calculation of total iov_size can overflow, resulting
> in a small sock_kmalloc() allocation. This would probably just result
> in walking off the heap and crashing when calling rds_rdma_pages() with
> a high count value. If it somehow doesn't crash here, then memory
> corruption could occur soon after.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
>
> (backport of upstream commit 218854af84038d828a32f061858b1902ed2beec6)
> Signed-off-by: Brad Figg <brad.figg@canonical.com>
> ---
> net/rds/rdma.c | 24 +++++++++++++++++++-----
> 1 files changed, 19 insertions(+), 5 deletions(-)
>
> diff --git a/net/rds/rdma.c b/net/rds/rdma.c
> index aa3befb..fa2ab42 100644
> --- a/net/rds/rdma.c
> +++ b/net/rds/rdma.c
> @@ -616,18 +616,32 @@ out:
> int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
> struct cmsghdr *cmsg)
> {
> + struct rds_rdma_args *args;
> struct rds_rdma_op *op;
> + int ret = 0;
>
> if (cmsg->cmsg_len < CMSG_LEN(sizeof(struct rds_rdma_args))
> - || rm->m_rdma_op != NULL)
> - return -EINVAL;
> + || rm->m_rdma_op != NULL) {
> + ret = -EINVAL;
> + goto out;
> + }
> +
> + args = CMSG_DATA(cmsg);
> +
> + if (args->nr_local > UIO_MAXIOV) {
> + ret = -EMSGSIZE;
> + goto out;
> + }
>
> op = rds_rdma_prepare(rs, CMSG_DATA(cmsg));
> - if (IS_ERR(op))
> - return PTR_ERR(op);
> + if (IS_ERR(op)) {
> + ret = PTR_ERR(op);
> + goto out;
> + }
> rds_stats_inc(s_send_rdma);
> rm->m_rdma_op = op;
> - return 0;
> +out:
> + return ret;
> }
>
> /*
Acked-by: John Johansen <john.johansen@canonical.com>


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-23-2011, 08:41 PM
Tim Gardner
 
Default rds: Integer overflow in RDS cmsg handling, CVE-2010-4175

applied

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-23-2011, 08:49 PM
Tim Gardner
 
Default rds: Integer overflow in RDS cmsg handling, CVE-2010-4175

applied
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 02:40 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org