[kernel/f20] CVE-2015-2042 rds: information handling flaw in sysctl (rhbz 1195355 1199365)
Josh Boyer
jwboyer at fedoraproject.org
Tue Mar 10 12:46:37 UTC 2015
commit 62775dbb5ac131884b59b2ccde2345279d881629
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Tue Mar 10 08:43:37 2015 -0400
CVE-2015-2042 rds: information handling flaw in sysctl (rhbz 1195355 1199365)
kernel.spec | 9 +++++
...-correct-size-for-max-unacked-packets-and.patch | 40 ++++++++++++++++++++++
2 files changed, 49 insertions(+)
---
diff --git a/kernel.spec b/kernel.spec
index 63b4455..74c8e0b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -762,6 +762,9 @@ Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
#rhbz 1190947
Patch26141: Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
+#CVE-2015-2042 rhbz 1195355 1199365
+Patch26143: net-rds-use-correct-size-for-max-unacked-packets-and.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1487,6 +1490,9 @@ ApplyPatch Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
#rhbz 1185519
ApplyPatch NFS-fix-clp-cl_revoked-list-deletion-causing-softloc.patch
+#CVE-2015-2042 rhbz 1195355 1199365
+ApplyPatch net-rds-use-correct-size-for-max-unacked-packets-and.patch
+
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2305,6 +2311,9 @@ fi
# ||----w |
# || ||
%changelog
+* Tue Mar 10 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2015-2042 rds: information handling flaw in sysctl (rhbz 1195355 1199365)
+
* Mon Mar 09 2015 Justin M. Forbes <jforbes at fedoraproject.org> - 3.18.9-100
- Linux v3.18.9
diff --git a/net-rds-use-correct-size-for-max-unacked-packets-and.patch b/net-rds-use-correct-size-for-max-unacked-packets-and.patch
new file mode 100644
index 0000000..3cf4a90
--- /dev/null
+++ b/net-rds-use-correct-size-for-max-unacked-packets-and.patch
@@ -0,0 +1,40 @@
+From: Sasha Levin <sasha.levin at oracle.com>
+Date: Tue, 3 Feb 2015 08:55:58 -0500
+Subject: [PATCH] net: rds: use correct size for max unacked packets and bytes
+
+Max unacked packets/bytes is an int while sizeof(long) was used in the
+sysctl table.
+
+This means that when they were getting read we'd also leak kernel memory
+to userspace along with the timeout values.
+
+Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/rds/sysctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/rds/sysctl.c b/net/rds/sysctl.c
+index c3b0cd43eb56..c173f69e1479 100644
+--- a/net/rds/sysctl.c
++++ b/net/rds/sysctl.c
+@@ -71,14 +71,14 @@ static struct ctl_table rds_sysctl_rds_table[] = {
+ {
+ .procname = "max_unacked_packets",
+ .data = &rds_sysctl_max_unacked_packets,
+- .maxlen = sizeof(unsigned long),
++ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+ {
+ .procname = "max_unacked_bytes",
+ .data = &rds_sysctl_max_unacked_bytes,
+- .maxlen = sizeof(unsigned long),
++ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+--
+2.1.0
+
More information about the scm-commits
mailing list