Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu Kernel Team (http://www.linux-archive.org/ubuntu-kernel-team/)
-   -   can: add missing socket check in can/raw release (http://www.linux-archive.org/ubuntu-kernel-team/531077-can-add-missing-socket-check-can-raw-release.html)

Andy Whitcroft 05-26-2011 04:07 PM

can: add missing socket check in can/raw release
 
CVE-2011-1748
The raw_release function in net/can/raw.c in the Linux kernel
before 2.6.39-rc6 does not properly validate a socket data
structure, which allows local users to cause a denial of service
(NULL pointer dereference) or possibly have unspecified other
impact via a crafted release operation.

The fix for this issue is already applied to Oneiric, Natty, and Lucid
arriving via mainline/stable updates. Neither of Hardy or Dapper
contain the affected protocol. Following this email is a patch for
Maverick cherry-picked from mainline.

Proposing for Maverick.

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Andy Whitcroft 05-26-2011 04:07 PM

can: add missing socket check in can/raw release
 
From: Oliver Hartkopp <socketcan@hartkopp.net>

v2: added space after 'if' according code style.

We can get here with a NULL socket argument passed from userspace,
so we need to handle it accordingly.

Thanks to Dave Jones pointing at this issue in net/can/bcm.c

Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2011-1748
BugLink: http://bugs.launchpad.net/bugs/788694
(cherry picked from commit 10022a6c66e199d8f61d9044543f38785713cbbd)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
net/can/raw.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/net/can/raw.c b/net/can/raw.c
index 1650599..9ae3b9b 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -281,7 +281,12 @@ static int raw_init(struct sock *sk)
static int raw_release(struct socket *sock)
{
struct sock *sk = sock->sk;
- struct raw_sock *ro = raw_sk(sk);
+ struct raw_sock *ro;
+
+ if (!sk)
+ return 0;
+
+ ro = raw_sk(sk);

unregister_netdevice_notifier(&ro->notifier);

--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Tim Gardner 05-26-2011 04:19 PM

can: add missing socket check in can/raw release
 
On 05/26/2011 10:07 AM, Andy Whitcroft wrote:

CVE-2011-1748
The raw_release function in net/can/raw.c in the Linux kernel
before 2.6.39-rc6 does not properly validate a socket data
structure, which allows local users to cause a denial of service
(NULL pointer dereference) or possibly have unspecified other
impact via a crafted release operation.

The fix for this issue is already applied to Oneiric, Natty, and Lucid
arriving via mainline/stable updates. Neither of Hardy or Dapper
contain the affected protocol. Following this email is a patch for
Maverick cherry-picked from mainline.

Proposing for Maverick.

-apw



applied

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team


All times are GMT. The time now is 11:30 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.