FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 05-26-2011, 04:07 PM
Andy Whitcroft
 
Default can: add missing socket check in can/raw release

CVE-2011-1748
The raw_release function in net/can/raw.c in the Linux kernel
before 2.6.39-rc6 does not properly validate a socket data
structure, which allows local users to cause a denial of service
(NULL pointer dereference) or possibly have unspecified other
impact via a crafted release operation.

The fix for this issue is already applied to Oneiric, Natty, and Lucid
arriving via mainline/stable updates. Neither of Hardy or Dapper
contain the affected protocol. Following this email is a patch for
Maverick cherry-picked from mainline.

Proposing for Maverick.

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 05-26-2011, 04:07 PM
Andy Whitcroft
 
Default can: add missing socket check in can/raw release

From: Oliver Hartkopp <socketcan@hartkopp.net>

v2: added space after 'if' according code style.

We can get here with a NULL socket argument passed from userspace,
so we need to handle it accordingly.

Thanks to Dave Jones pointing at this issue in net/can/bcm.c

Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2011-1748
BugLink: http://bugs.launchpad.net/bugs/788694
(cherry picked from commit 10022a6c66e199d8f61d9044543f38785713cbbd)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
net/can/raw.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/net/can/raw.c b/net/can/raw.c
index 1650599..9ae3b9b 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -281,7 +281,12 @@ static int raw_init(struct sock *sk)
static int raw_release(struct socket *sock)
{
struct sock *sk = sock->sk;
- struct raw_sock *ro = raw_sk(sk);
+ struct raw_sock *ro;
+
+ if (!sk)
+ return 0;
+
+ ro = raw_sk(sk);

unregister_netdevice_notifier(&ro->notifier);

--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 05-26-2011, 04:19 PM
Tim Gardner
 
Default can: add missing socket check in can/raw release

On 05/26/2011 10:07 AM, Andy Whitcroft wrote:

CVE-2011-1748
The raw_release function in net/can/raw.c in the Linux kernel
before 2.6.39-rc6 does not properly validate a socket data
structure, which allows local users to cause a denial of service
(NULL pointer dereference) or possibly have unspecified other
impact via a crafted release operation.

The fix for this issue is already applied to Oneiric, Natty, and Lucid
arriving via mainline/stable updates. Neither of Hardy or Dapper
contain the affected protocol. Following this email is a patch for
Maverick cherry-picked from mainline.

Proposing for Maverick.

-apw



applied

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 08:00 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org