rpms/kernel/F-8 linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch, NONE, 1.1 kernel.spec, 1.475, 1.476

Tue Jun 24 16:02:06 UTC 2008

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11309

Modified Files:
	kernel.spec 
Added Files:
	linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch 
Log Message:
* Tue Jun 24 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.25.8-36
- pppolt2p: fix heap overflow (CVE-2008-2750) (#452110)


linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch:

--- NEW FILE linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch ---
From: James Chapman <jchapman at katalix.com>
Date: Tue, 10 Jun 2008 19:35:00 +0000 (-0700)
Subject: l2tp: Fix potential memory corruption in pppol2tp_recvmsg()
X-Git-Tag: v2.6.26-rc6~13^2~10
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=6b6707a50c7598a83820077393f8823ab791abf8

l2tp: Fix potential memory corruption in pppol2tp_recvmsg()

This patch fixes a potential memory corruption in
pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer
length, memcpy_toiovec() will go into unintialized data on the kernel
heap, interpret it as an iovec and start modifying memory.

The fix is to change the memcpy_toiovec() call to
skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP)
are handled properly. Also check that the caller's buffer is big
enough for the data and set the MSG_TRUNC flag if it is not so.

Reported-by: Ilja <ilja at netric.org>
Signed-off-by: James Chapman <jchapman at katalix.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
---
F8: bz 452110
F9: bz 452111

diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c
index 70cfdb4..f929882 100644
--- a/drivers/net/pppol2tp.c
+++ b/drivers/net/pppol2tp.c
@@ -783,14 +783,18 @@ static int pppol2tp_recvmsg(struct kiocb *iocb, struct socket *sock,
 	err = 0;
 	skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
 				flags & MSG_DONTWAIT, &err);
-	if (skb) {
-		err = memcpy_toiovec(msg->msg_iov, (unsigned char *) skb->data,
-				     skb->len);
-		if (err < 0)
-			goto do_skb_free;
-		err = skb->len;
-	}
-do_skb_free:
+	if (!skb)
+		goto end;
+
+	if (len > skb->len)
+		len = skb->len;
+	else if (len < skb->len)
+		msg->msg_flags |= MSG_TRUNC;
+
+	err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, len);
+	if (likely(err == 0))
+		err = len;
+
 	kfree_skb(skb);
 end:
 	return err;


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-8/kernel.spec,v
retrieving revision 1.475
retrieving revision 1.476
diff -u -r1.475 -r1.476
--- kernel.spec	24 Jun 2008 05:41:45 -0000	1.475
+++ kernel.spec	24 Jun 2008 16:01:14 -0000	1.476
@@ -626,6 +626,7 @@
 Patch428: linux-2.6-fs-fat-relax-permission-check-of-fat_setattr.patch
 
 Patch430: linux-2.6-net-silence-noisy-printks.patch
+Patch431: linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch
 
 Patch440: linux-2.6-sha_alignment.patch
 Patch450: linux-2.6-input-kill-stupid-messages.patch
@@ -1114,6 +1115,8 @@
 # Networking
 # Disable easy to trigger printk's.
 ApplyPatch linux-2.6-net-silence-noisy-printks.patch
+# CVE-2008-2750: l2tp heap overflow
+ApplyPatch linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch
 
 # Misc fixes
 # Fix SHA1 alignment problem on ia64
@@ -1823,6 +1826,9 @@
 
 
 %changelog
+* Tue Jun 24 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.25.8-36
+- pppolt2p: fix heap overflow (CVE-2008-2750) (#452110)
+
 * Mon Jun 23 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.25.8-35
 - libata: retry enable of AHCI mode before reporting an error (F9#452595)
 


