[kernel/f17] CVE-2013-1828 sctp: SCTP_GET_ASSOC_STATS stack buffer overflow (rhbz 919315 919316)
Josh Boyer
jwboyer at fedoraproject.org
Fri Mar 8 13:33:22 UTC 2013
commit 90b1fad4920ecaa7f3c1e587cca0aaad974fa097
Author: Josh Boyer <jwboyer at redhat.com>
Date: Fri Mar 8 08:31:19 2013 -0500
CVE-2013-1828 sctp: SCTP_GET_ASSOC_STATS stack buffer overflow (rhbz 919315 919316)
kernel.spec | 9 +++
...lidate-parameter-size-for-SCTP_GET_ASSOC_.patch | 54 ++++++++++++++++++++
2 files changed, 63 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index b1a9d08..f34fd39 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -747,6 +747,9 @@ Patch22267: logitech-dj-do-not-directly-call-hid_output_raw_report-during-probe.
#rhbz 916444
Patch22268: dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch
+#CVE-2013-1828 rhbz 919315 919316
+Patch22269: net-sctp-Validate-parameter-size-for-SCTP_GET_ASSOC_.patch
+
#rhbz 812111
Patch24000: alps.patch
@@ -1468,6 +1471,9 @@ ApplyPatch logitech-dj-do-not-directly-call-hid_output_raw_report-during-probe.p
#rhbz 916444
ApplyPatch dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch
+#CVE-2013-1828 rhbz 919315 919316
+ApplyPatch net-sctp-Validate-parameter-size-for-SCTP_GET_ASSOC_.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2324,6 +2330,9 @@ fi
# '-' | |
# '-'
%changelog
+* Fri Mar 08 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-1828 sctp: SCTP_GET_ASSOC_STATS stack buffer overflow (rhbz 919315 919316)
+
* Fri Mar 8 2013 Peter Robinson <pbrobinson at fedoraproject.org>
- Have kernel provide kernel-highbank for upgrade to unified
- Update mvebu configs
diff --git a/net-sctp-Validate-parameter-size-for-SCTP_GET_ASSOC_.patch b/net-sctp-Validate-parameter-size-for-SCTP_GET_ASSOC_.patch
new file mode 100644
index 0000000..bb976c5
--- /dev/null
+++ b/net-sctp-Validate-parameter-size-for-SCTP_GET_ASSOC_.patch
@@ -0,0 +1,54 @@
+From 726bc6b092da4c093eb74d13c07184b18c1af0f1 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux at roeck-us.net>
+Date: Wed, 27 Feb 2013 10:57:31 +0000
+Subject: [PATCH] net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Building sctp may fail with:
+
+In function ‘copy_from_user’,
+ inlined from ‘sctp_getsockopt_assoc_stats’ at
+ net/sctp/socket.c:5656:20:
+arch/x86/include/asm/uaccess_32.h:211:26: error: call to
+ ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
+ buffer size is not provably correct
+
+if built with W=1 due to a missing parameter size validation
+before the call to copy_from_user.
+
+Signed-off-by: Guenter Roeck <linux at roeck-us.net>
+Acked-by: Vlad Yasevich <vyasevich at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/sctp/socket.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index cedd9bf..9ef5c73 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
+ if (len < sizeof(sctp_assoc_t))
+ return -EINVAL;
+
++ /* Allow the struct to grow and fill in as much as possible */
++ len = min_t(size_t, len, sizeof(sas));
++
+ if (copy_from_user(&sas, optval, len))
+ return -EFAULT;
+
+@@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
+ /* Mark beginning of a new observation period */
+ asoc->stats.max_obs_rto = asoc->rto_min;
+
+- /* Allow the struct to grow and fill in as much as possible */
+- len = min_t(size_t, len, sizeof(sas));
+-
+ if (put_user(len, optlen))
+ return -EFAULT;
+
+--
+1.8.1.2
+
More information about the scm-commits
mailing list