[kernel/f20] CVE-2015-2042 rds: information handling flaw in sysctl (rhbz 1195355 1199365)

Tue Mar 10 12:46:37 UTC 2015

commit 62775dbb5ac131884b59b2ccde2345279d881629
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Tue Mar 10 08:43:37 2015 -0400

    CVE-2015-2042 rds: information handling flaw in sysctl (rhbz 1195355 1199365)

 kernel.spec                                        |  9 +++++
 ...-correct-size-for-max-unacked-packets-and.patch | 40 ++++++++++++++++++++++
 2 files changed, 49 insertions(+)
---

diff --git a/kernel.spec b/kernel.spec
index 63b4455..74c8e0b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -762,6 +762,9 @@ Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
 #rhbz 1190947
 Patch26141: Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
 
+#CVE-2015-2042 rhbz 1195355 1199365
+Patch26143: net-rds-use-correct-size-for-max-unacked-packets-and.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1487,6 +1490,9 @@ ApplyPatch Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
 #rhbz 1185519
 ApplyPatch NFS-fix-clp-cl_revoked-list-deletion-causing-softloc.patch
 
+#CVE-2015-2042 rhbz 1195355 1199365
+ApplyPatch net-rds-use-correct-size-for-max-unacked-packets-and.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2305,6 +2311,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Tue Mar 10 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2015-2042 rds: information handling flaw in sysctl (rhbz 1195355 1199365)
+
 * Mon Mar 09 2015 Justin M. Forbes <jforbes at fedoraproject.org> - 3.18.9-100
 - Linux v3.18.9
 
diff --git a/net-rds-use-correct-size-for-max-unacked-packets-and.patch b/net-rds-use-correct-size-for-max-unacked-packets-and.patch
new file mode 100644
index 0000000..3cf4a90
--- /dev/null
+++ b/net-rds-use-correct-size-for-max-unacked-packets-and.patch
@@ -0,0 +1,40 @@
+From: Sasha Levin <sasha.levin at oracle.com>
+Date: Tue, 3 Feb 2015 08:55:58 -0500
+Subject: [PATCH] net: rds: use correct size for max unacked packets and bytes
+
+Max unacked packets/bytes is an int while sizeof(long) was used in the
+sysctl table.
+
+This means that when they were getting read we'd also leak kernel memory
+to userspace along with the timeout values.
+
+Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/rds/sysctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/rds/sysctl.c b/net/rds/sysctl.c
+index c3b0cd43eb56..c173f69e1479 100644
+--- a/net/rds/sysctl.c
++++ b/net/rds/sysctl.c
+@@ -71,14 +71,14 @@ static struct ctl_table rds_sysctl_rds_table[] = {
+ 	{
+ 		.procname	= "max_unacked_packets",
+ 		.data		= &rds_sysctl_max_unacked_packets,
+-		.maxlen         = sizeof(unsigned long),
++		.maxlen         = sizeof(int),
+ 		.mode           = 0644,
+ 		.proc_handler   = proc_dointvec,
+ 	},
+ 	{
+ 		.procname	= "max_unacked_bytes",
+ 		.data		= &rds_sysctl_max_unacked_bytes,
+-		.maxlen         = sizeof(unsigned long),
++		.maxlen         = sizeof(int),
+ 		.mode           = 0644,
+ 		.proc_handler   = proc_dointvec,
+ 	},
+-- 
+2.1.0
+
