rpms/kernel/F-8 linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch, NONE, 1.1 kernel.spec, 1.475, 1.476
Chuck Ebbert (cebbert)
fedora-extras-commits at redhat.com
Tue Jun 24 16:02:06 UTC 2008
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11309
Modified Files:
kernel.spec
Added Files:
linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch
Log Message:
* Tue Jun 24 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.25.8-36
- pppolt2p: fix heap overflow (CVE-2008-2750) (#452110)
linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch:
--- NEW FILE linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch ---
From: James Chapman <jchapman at katalix.com>
Date: Tue, 10 Jun 2008 19:35:00 +0000 (-0700)
Subject: l2tp: Fix potential memory corruption in pppol2tp_recvmsg()
X-Git-Tag: v2.6.26-rc6~13^2~10
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=6b6707a50c7598a83820077393f8823ab791abf8
l2tp: Fix potential memory corruption in pppol2tp_recvmsg()
This patch fixes a potential memory corruption in
pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer
length, memcpy_toiovec() will go into unintialized data on the kernel
heap, interpret it as an iovec and start modifying memory.
The fix is to change the memcpy_toiovec() call to
skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP)
are handled properly. Also check that the caller's buffer is big
enough for the data and set the MSG_TRUNC flag if it is not so.
Reported-by: Ilja <ilja at netric.org>
Signed-off-by: James Chapman <jchapman at katalix.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
---
F8: bz 452110
F9: bz 452111
diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c
index 70cfdb4..f929882 100644
--- a/drivers/net/pppol2tp.c
+++ b/drivers/net/pppol2tp.c
@@ -783,14 +783,18 @@ static int pppol2tp_recvmsg(struct kiocb *iocb, struct socket *sock,
err = 0;
skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
flags & MSG_DONTWAIT, &err);
- if (skb) {
- err = memcpy_toiovec(msg->msg_iov, (unsigned char *) skb->data,
- skb->len);
- if (err < 0)
- goto do_skb_free;
- err = skb->len;
- }
-do_skb_free:
+ if (!skb)
+ goto end;
+
+ if (len > skb->len)
+ len = skb->len;
+ else if (len < skb->len)
+ msg->msg_flags |= MSG_TRUNC;
+
+ err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, len);
+ if (likely(err == 0))
+ err = len;
+
kfree_skb(skb);
end:
return err;
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-8/kernel.spec,v
retrieving revision 1.475
retrieving revision 1.476
diff -u -r1.475 -r1.476
--- kernel.spec 24 Jun 2008 05:41:45 -0000 1.475
+++ kernel.spec 24 Jun 2008 16:01:14 -0000 1.476
@@ -626,6 +626,7 @@
Patch428: linux-2.6-fs-fat-relax-permission-check-of-fat_setattr.patch
Patch430: linux-2.6-net-silence-noisy-printks.patch
+Patch431: linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch
Patch440: linux-2.6-sha_alignment.patch
Patch450: linux-2.6-input-kill-stupid-messages.patch
@@ -1114,6 +1115,8 @@
# Networking
# Disable easy to trigger printk's.
ApplyPatch linux-2.6-net-silence-noisy-printks.patch
+# CVE-2008-2750: l2tp heap overflow
+ApplyPatch linux-2.6-net-l2tp-fix-potential-memory-corruption-in-pppol2tp_recvmsg.patch
# Misc fixes
# Fix SHA1 alignment problem on ia64
@@ -1823,6 +1826,9 @@
%changelog
+* Tue Jun 24 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.25.8-36
+- pppolt2p: fix heap overflow (CVE-2008-2750) (#452110)
+
* Mon Jun 23 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.25.8-35
- libata: retry enable of AHCI mode before reporting an error (F9#452595)
More information about the scm-commits
mailing list