[kernel/f21] Validate iovec range in sys_sendto/sys_recvfrom
Josh Boyer
jwboyer at fedoraproject.org
Mon Mar 23 23:20:05 UTC 2015
commit c2afb20ca9490e308d6b08405647b349532dd247
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Mon Mar 23 15:09:12 2015 -0400
Validate iovec range in sys_sendto/sys_recvfrom
kernel.spec | 5 +++
...e-the-range-we-feed-to-iov_iter_init-in-s.patch | 37 ++++++++++++++++++++++
...de-intel-Guard-against-stack-overflow-in-.patch | 1 -
3 files changed, 42 insertions(+), 1 deletion(-)
---
diff --git a/kernel.spec b/kernel.spec
index 2cc688a..68aa348 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -654,6 +654,8 @@ Patch26172: x86-microcode-intel-Guard-against-stack-overflow-in-.patch
Patch30000: kernel-arm64.patch
Patch30001: aarch64-fix-tlb-issues.patch
+Patch26173: net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1418,6 +1420,8 @@ ApplyPatch kernel-arm64.patch -R
%endif
%endif
+ApplyPatch net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2278,6 +2282,7 @@ fi
# || ||
%changelog
* Mon Mar 23 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- Validate iovec range in sys_sendto/sys_recvfrom
- CVE-2015-2666 execution in the early microcode loader (rhbz 1204724 1204722)
* Mon Mar 23 2015 Peter Robinson <pbrobinson at fedoraproject.org>
diff --git a/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch b/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
new file mode 100644
index 0000000..70c28d7
--- /dev/null
+++ b/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
@@ -0,0 +1,37 @@
+From: Al Viro <viro at ZenIV.linux.org.uk>
+Date: Fri, 20 Mar 2015 17:41:43 +0000
+Subject: [PATCH] net: validate the range we feed to iov_iter_init() in
+ sys_sendto/sys_recvfrom
+
+Cc: stable at vger.kernel.org # v3.19
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/socket.c b/net/socket.c
+index 418795caa897..d50e7ca6aeea 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
+
+ if (len > INT_MAX)
+ len = INT_MAX;
++ if (unlikely(!access_ok(VERIFY_READ, buff, len)))
++ return -EFAULT;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
+@@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+
+ if (size > INT_MAX)
+ size = INT_MAX;
++ if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
++ return -EFAULT;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
+--
+2.1.0
+
diff --git a/x86-microcode-intel-Guard-against-stack-overflow-in-.patch b/x86-microcode-intel-Guard-against-stack-overflow-in-.patch
index 2123a46..5f1d232 100644
--- a/x86-microcode-intel-Guard-against-stack-overflow-in-.patch
+++ b/x86-microcode-intel-Guard-against-stack-overflow-in-.patch
@@ -1,4 +1,3 @@
-From 4423997d1e2f479f98b8f0c7ad733607f361ed76 Mon Sep 17 00:00:00 2001
From: Quentin Casasnovas <quentin.casasnovas at oracle.com>
Date: Tue, 3 Feb 2015 13:00:22 +0100
Subject: [PATCH] x86/microcode/intel: Guard against stack overflow in the
More information about the scm-commits
mailing list