rpms/kernel/F-9 linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch, NONE, 1.1 kernel.spec, 1.689, 1.690
Chuck Ebbert (cebbert)
fedora-extras-commits at redhat.com
Tue Jun 24 16:03:50 UTC 2008
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11524
Modified Files:
kernel.spec
Added Files:
linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch
Log Message:
* Tue Jun 24 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.25.8-71
- pppolt2p: fix heap overflow (CVE-2008-2750) (#452111)
linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch:
--- NEW FILE linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch ---
From: James Chapman <jchapman at katalix.com>
Date: Tue, 10 Jun 2008 19:35:00 +0000 (-0700)
Subject: l2tp: Fix potential memory corruption in pppol2tp_recvmsg()
X-Git-Tag: v2.6.26-rc6~13^2~10
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=6b6707a50c7598a83820077393f8823ab791abf8
l2tp: Fix potential memory corruption in pppol2tp_recvmsg()
This patch fixes a potential memory corruption in
pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer
length, memcpy_toiovec() will go into unintialized data on the kernel
heap, interpret it as an iovec and start modifying memory.
The fix is to change the memcpy_toiovec() call to
skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP)
are handled properly. Also check that the caller's buffer is big
enough for the data and set the MSG_TRUNC flag if it is not so.
Reported-by: Ilja <ilja at netric.org>
Signed-off-by: James Chapman <jchapman at katalix.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
---
F8: bz 452110
F9: bz 452111
diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c
index 70cfdb4..f929882 100644
--- a/drivers/net/pppol2tp.c
+++ b/drivers/net/pppol2tp.c
@@ -783,14 +783,18 @@ static int pppol2tp_recvmsg(struct kiocb *iocb, struct socket *sock,
err = 0;
skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
flags & MSG_DONTWAIT, &err);
- if (skb) {
- err = memcpy_toiovec(msg->msg_iov, (unsigned char *) skb->data,
- skb->len);
- if (err < 0)
- goto do_skb_free;
- err = skb->len;
- }
-do_skb_free:
+ if (!skb)
+ goto end;
+
+ if (len > skb->len)
+ len = skb->len;
+ else if (len < skb->len)
+ msg->msg_flags |= MSG_TRUNC;
+
+ err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, len);
+ if (likely(err == 0))
+ err = len;
+
kfree_skb(skb);
end:
return err;
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-9/kernel.spec,v
retrieving revision 1.689
retrieving revision 1.690
diff -u -r1.689 -r1.690
--- kernel.spec 24 Jun 2008 05:37:13 -0000 1.689
+++ kernel.spec 24 Jun 2008 16:02:55 -0000 1.690
@@ -618,6 +618,7 @@
Patch424: linux-2.6-fs-fat-relax-permission-check-of-fat_setattr.patch
Patch430: linux-2.6-net-silence-noisy-printks.patch
+Patch431: linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch
Patch450: linux-2.6-input-kill-stupid-messages.patch
Patch451: linux-2.6-input-fix_fn_key_on_macbookpro_4_1_and_mb_air.patch
@@ -1164,6 +1165,8 @@
# Networking
# Disable easy to trigger printk's.
ApplyPatch linux-2.6-net-silence-noisy-printks.patch
+# CVE-2008-2750: l2tp heap overflow
+ApplyPatch linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch
# Misc fixes
# The input layer spews crap no-one cares about.
@@ -1855,6 +1858,9 @@
%kernel_variant_files -a /%{image_install_path}/xen*-%{KVERREL}.xen -e /etc/ld.so.conf.d/kernelcap-%{KVERREL}.xen.conf %{with_xen} xen
%changelog
+* Tue Jun 24 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.25.8-71
+- pppolt2p: fix heap overflow (CVE-2008-2750) (#452111)
+
* Mon Jun 23 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.25.8-70
- libata: retry enable of AHCI mode before reporting an error (#452595)
More information about the fedora-extras-commits
mailing list