diff options
| author | Ben Hutchings <benh@debian.org> | 2012-06-11 01:14:36 +0000 |
|---|---|---|
| committer | Ben Hutchings <benh@debian.org> | 2012-06-11 01:14:36 +0000 |
| commit | e86e382c7531829b8366ed225c053784d0ec2c0d (patch) | |
| tree | e15b6d59684a40e0c4baaadece452dee1f76983b | |
| parent | 423985846ce3be9ebef0dade785336577cca4038 (diff) | |
| download | kernel_replicant_linux-e86e382c7531829b8366ed225c053784d0ec2c0d.tar.gz kernel_replicant_linux-e86e382c7531829b8366ed225c053784d0ec2c0d.tar.bz2 kernel_replicant_linux-e86e382c7531829b8366ed225c053784d0ec2c0d.zip | |
net: sock: validate data_len before allocating skb in sock_alloc_send_pskb() (CVE-2012-2136)
svn path=/dists/sid/linux/; revision=19120
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-.patch | 48 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 51 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 0dbb5e74c62f..1897afeb2e0f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -49,6 +49,8 @@ linux (3.2.20-1) UNRELEASED; urgency=low * linux-source: Add single patch for each featureset * [x86] Enable CRASH_DUMP, PROC_VMCORE (Closes: #623177) * media/dvb: Enable DVB_DDBRIDGE as module (Closes: #676952) + * net: sock: validate data_len before allocating skb in + sock_alloc_send_pskb() (CVE-2012-2136) [ Bastian Blank ] * [s390/s390x,s390x/s390x] Build debugging symbols. diff --git a/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-.patch b/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-.patch new file mode 100644 index 000000000000..86b0554bc2c0 --- /dev/null +++ b/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-.patch @@ -0,0 +1,48 @@ +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 30 May 2012 21:18:10 +0000 +Subject: net: sock: validate data_len before allocating skb in + sock_alloc_send_pskb() + +commit cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc upstream. + +We need to validate the number of pages consumed by data_len, otherwise frags +array could be overflowed by userspace. So this patch validate data_len and +return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS. + +Signed-off-by: Jason Wang <jasowang@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/core/sock.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 653f8c0..9e5b71f 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1592,6 +1592,11 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, + gfp_t gfp_mask; + long timeo; + int err; ++ int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT; ++ ++ err = -EMSGSIZE; ++ if (npages > MAX_SKB_FRAGS) ++ goto failure; + + gfp_mask = sk->sk_allocation; + if (gfp_mask & __GFP_WAIT) +@@ -1610,14 +1615,12 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, + if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) { + skb = alloc_skb(header_len, gfp_mask); + if (skb) { +- int npages; + int i; + + /* No pages, we're done... */ + if (!data_len) + break; + +- npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT; + skb->truesize += data_len; + skb_shinfo(skb)->nr_frags = npages; + for (i = 0; i < npages; i++) { diff --git a/debian/patches/series b/debian/patches/series index 88ca4c341d11..27fa4d5cf348 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -317,3 +317,4 @@ debian/avoid-ABI-change-for-hidepid.patch bugfix/all/NFSv4-Reduce-the-footprint-of-the-idmapper.patch bugfix/all/NFSv4-Further-reduce-the-footprint-of-the-idmapper.patch +bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-.patch |