FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 09-07-2012, 06:02 PM
Tim Gardner
 
Default net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()

From: Jason Wang <jasowang@redhat.com>

CVE-2012-2136

BugLink: http://bugs.launchpad.net/bugs/1006622

We need to validate the number of pages consumed by data_len, otherwise frags
array could be overflowed by userspace. So this patch validate data_len and
return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc)

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
debian/binary-custom.d/openvz/src/net/core/sock.c | 5 +++++
debian/binary-custom.d/xen/src/net/core/sock.c | 7 +++++--
net/core/sock.c | 7 +++++--
3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/debian/binary-custom.d/openvz/src/net/core/sock.c b/debian/binary-custom.d/openvz/src/net/core/sock.c
index b66126b..46f0afc 100644
--- a/debian/binary-custom.d/openvz/src/net/core/sock.c
+++ b/debian/binary-custom.d/openvz/src/net/core/sock.c
@@ -1267,6 +1267,11 @@ struct sk_buff *sock_alloc_send_skb2(struct sock *sk, unsigned long size,
gfp_t gfp_mask;
long timeo;
int err;
+ int npages = (size + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+
+ err = -EMSGSIZE;
+ if (npages > MAX_SKB_FRAGS)
+ goto failure;

gfp_mask = sk->sk_allocation;
if (gfp_mask & __GFP_WAIT)
diff --git a/debian/binary-custom.d/xen/src/net/core/sock.c b/debian/binary-custom.d/xen/src/net/core/sock.c
index b0e5208..a39b6aa 100644
--- a/debian/binary-custom.d/xen/src/net/core/sock.c
+++ b/debian/binary-custom.d/xen/src/net/core/sock.c
@@ -1233,6 +1233,11 @@ static struct sk_buff *sock_alloc_send_pskb(struct sock *sk,
gfp_t gfp_mask;
long timeo;
int err;
+ int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+
+ err = -EMSGSIZE;
+ if (npages > MAX_SKB_FRAGS)
+ goto failure;

gfp_mask = sk->sk_allocation;
if (gfp_mask & __GFP_WAIT)
@@ -1251,14 +1256,12 @@ static struct sk_buff *sock_alloc_send_pskb(struct sock *sk,
if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
skb = alloc_skb(header_len, gfp_mask);
if (skb) {
- int npages;
int i;

/* No pages, we're done... */
if (!data_len)
break;

- npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
skb->truesize += data_len;
skb_shinfo(skb)->nr_frags = npages;
for (i = 0; i < npages; i++) {
diff --git a/net/core/sock.c b/net/core/sock.c
index b0e5208..a39b6aa 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1233,6 +1233,11 @@ static struct sk_buff *sock_alloc_send_pskb(struct sock *sk,
gfp_t gfp_mask;
long timeo;
int err;
+ int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+
+ err = -EMSGSIZE;
+ if (npages > MAX_SKB_FRAGS)
+ goto failure;

gfp_mask = sk->sk_allocation;
if (gfp_mask & __GFP_WAIT)
@@ -1251,14 +1256,12 @@ static struct sk_buff *sock_alloc_send_pskb(struct sock *sk,
if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
skb = alloc_skb(header_len, gfp_mask);
if (skb) {
- int npages;
int i;

/* No pages, we're done... */
if (!data_len)
break;

- npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
skb->truesize += data_len;
skb_shinfo(skb)->nr_frags = npages;
for (i = 0; i < npages; i++) {
--
1.7.9.5


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 09-10-2012, 08:32 AM
Colin Ian King
 
Default net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()

On 07/09/12 19:02, Tim Gardner wrote:

From: Jason Wang <jasowang@redhat.com>

CVE-2012-2136

BugLink: http://bugs.launchpad.net/bugs/1006622

We need to validate the number of pages consumed by data_len, otherwise frags
array could be overflowed by userspace. So this patch validate data_len and
return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc)



Minor quibble, this is also a back-port for the openvz version of sock.c
rather than a clean cherry-pick.



Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
debian/binary-custom.d/openvz/src/net/core/sock.c | 5 +++++
debian/binary-custom.d/xen/src/net/core/sock.c | 7 +++++--
net/core/sock.c | 7 +++++--
3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/debian/binary-custom.d/openvz/src/net/core/sock.c b/debian/binary-custom.d/openvz/src/net/core/sock.c
index b66126b..46f0afc 100644
--- a/debian/binary-custom.d/openvz/src/net/core/sock.c
+++ b/debian/binary-custom.d/openvz/src/net/core/sock.c
@@ -1267,6 +1267,11 @@ struct sk_buff *sock_alloc_send_skb2(struct sock *sk, unsigned long size,
gfp_t gfp_mask;
long timeo;
int err;
+ int npages = (size + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+
+ err = -EMSGSIZE;
+ if (npages > MAX_SKB_FRAGS)
+ goto failure;

gfp_mask = sk->sk_allocation;
if (gfp_mask & __GFP_WAIT)
diff --git a/debian/binary-custom.d/xen/src/net/core/sock.c b/debian/binary-custom.d/xen/src/net/core/sock.c
index b0e5208..a39b6aa 100644
--- a/debian/binary-custom.d/xen/src/net/core/sock.c
+++ b/debian/binary-custom.d/xen/src/net/core/sock.c
@@ -1233,6 +1233,11 @@ static struct sk_buff *sock_alloc_send_pskb(struct sock *sk,
gfp_t gfp_mask;
long timeo;
int err;
+ int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+
+ err = -EMSGSIZE;
+ if (npages > MAX_SKB_FRAGS)
+ goto failure;

gfp_mask = sk->sk_allocation;
if (gfp_mask & __GFP_WAIT)
@@ -1251,14 +1256,12 @@ static struct sk_buff *sock_alloc_send_pskb(struct sock *sk,
if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
skb = alloc_skb(header_len, gfp_mask);
if (skb) {
- int npages;
int i;

/* No pages, we're done... */
if (!data_len)
break;

- npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
skb->truesize += data_len;
skb_shinfo(skb)->nr_frags = npages;
for (i = 0; i < npages; i++) {
diff --git a/net/core/sock.c b/net/core/sock.c
index b0e5208..a39b6aa 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1233,6 +1233,11 @@ static struct sk_buff *sock_alloc_send_pskb(struct sock *sk,
gfp_t gfp_mask;
long timeo;
int err;
+ int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+
+ err = -EMSGSIZE;
+ if (npages > MAX_SKB_FRAGS)
+ goto failure;

gfp_mask = sk->sk_allocation;
if (gfp_mask & __GFP_WAIT)
@@ -1251,14 +1256,12 @@ static struct sk_buff *sock_alloc_send_pskb(struct sock *sk,
if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
skb = alloc_skb(header_len, gfp_mask);
if (skb) {
- int npages;
int i;

/* No pages, we're done... */
if (!data_len)
break;

- npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
skb->truesize += data_len;
skb_shinfo(skb)->nr_frags = npages;
for (i = 0; i < npages; i++) {



Looks OK to me.

Acked-by: Colin Ian King <colin.king@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 09-10-2012, 01:03 PM
Tim Gardner
 
Default net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()

On 09/10/2012 02:32 AM, Colin Ian King wrote:
> On 07/09/12 19:02, Tim Gardner wrote:
>> From: Jason Wang <jasowang@redhat.com>
>>
>> CVE-2012-2136
>>
>> BugLink: http://bugs.launchpad.net/bugs/1006622
>>
>> We need to validate the number of pages consumed by data_len,
>> otherwise frags
>> array could be overflowed by userspace. So this patch validate
>> data_len and
>> return -EMSGSIZE when data_len may occupies more frags than
>> MAX_SKB_FRAGS.
>>
>> Signed-off-by: Jason Wang <jasowang@redhat.com>
>> Signed-off-by: David S. Miller <davem@davemloft.net>
>> (cherry picked from commit cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc)
>>
>
> Minor quibble, this is also a back-port for the openvz version of sock.c
> rather than a clean cherry-pick.
>

I guess I made the assumption that anyone doing maintenance on Hardy
would know that the custom binary patches _couldn't_ be cherry-picks.
But you are correct that I could have noted xen applied cleanly whereas
openvz required some futzing (as usual). I'll get that info into the
final patch.

rtg
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 01:30 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org