Home| summaryrefslogtreecommitdiff |
| author | Jiri Bohac <jbohac@suse.cz> | 2012-06-12 13:11:06 (GMT) |
|---|---|---|
| committer | Jiri Bohac <jbohac@suse.cz> | 2012-06-12 13:11:06 (GMT) |
| commit | 0715eaec0cda449f9e552aad86dee1044c63a298 (patch) (side-by-side diff) | |
| tree | 1b70bbc27826ba781e2fb7b93fc4eeaa6ef97a57 | |
| parent | d2f2590bcc3291fec16d559e88a5a2bfd16bacec (diff) | |
net: sock: validate data_len before allocating skb in
sock_alloc_send_pskb() (bnc#765320, CVE-2012-2136).
| -rw-r--r-- | patches.fixes/net-sock-validate-data_len-before-allocating-skb.patch | 45 | ||||
| -rw-r--r-- | series.conf | 1 |
2 files changed, 46 insertions, 0 deletions
diff --git a/patches.fixes/net-sock-validate-data_len-before-allocating-skb.patch b/patches.fixes/net-sock-validate-data_len-before-allocating-skb.patch new file mode 100644 index 0000000..e3f9b4e --- a/dev/null +++ b/patches.fixes/net-sock-validate-data_len-before-allocating-skb.patch @@ -0,0 +1,45 @@ +From: Jason Wang <jasowang@redhat.com> +Subject: net: sock: validate data_len before allocating skb in sock_alloc_send_pskb() +Git-commit: cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc +Patch-mainline: 3.5 +References: bnc#765320, CVE-2012-2136 +Acked-by: Jiri Bohac <jbohac@suse.cz> + +We need to validate the number of pages consumed by data_len, otherwise frags +array could be overflowed by userspace. So this patch validate data_len and +return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS. + +Signed-off-by: Jason Wang <jasowang@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/core/sock.c b/net/core/sock.c +index 653f8c0..9e5b71f 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1592,6 +1592,11 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, + gfp_t gfp_mask; + long timeo; + int err; ++ int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT; ++ ++ err = -EMSGSIZE; ++ if (npages > MAX_SKB_FRAGS) ++ goto failure; + + gfp_mask = sk->sk_allocation; + if (gfp_mask & __GFP_WAIT) +@@ -1610,14 +1615,12 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, + if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) { + skb = alloc_skb(header_len, gfp_mask); + if (skb) { +- int npages; + int i; + + /* No pages, we're done... */ + if (!data_len) + break; + +- npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT; + skb->truesize += data_len; + skb_shinfo(skb)->nr_frags = npages; + for (i = 0; i < npages; i++) { diff --git a/series.conf b/series.conf index 2c04f8a..d0769d6 100644 --- a/series.conf +++ b/series.conf @@ -320,6 +320,7 @@ ######################################################## patches.fixes/bridge-module-get-put.patch patches.fixes/net-Fix-a-potential-rcu_read_lock-imbalance-in-rt6_fill_node.patch + patches.fixes/net-sock-validate-data_len-before-allocating-skb.patch ######################################################## # NFS |