[kernel] Validate iovec range in sys_sendto/sys_recvfrom
Josh Boyer
jwboyer at fedoraproject.org
Mon Mar 23 23:20:45 UTC 2015
commit ebfb149da321e85bbc4aef8776db0ec30ca94d38
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Mon Mar 23 15:09:12 2015 -0400
Validate iovec range in sys_sendto/sys_recvfrom
kernel.spec | 9 ++++--
...e-the-range-we-feed-to-iov_iter_init-in-s.patch | 37 ++++++++++++++++++++++
2 files changed, 44 insertions(+), 2 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index dde1ea1..c8876ed 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -42,7 +42,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 1
+%global baserelease 3
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -635,6 +635,8 @@ Patch26171: acpi-video-Add-force-native-backlight-quirk-for-Leno.patch
Patch26172: Revert-drm-i915-Ensure-plane-state-fb-stays-in-sync-.patch
+Patch26173: net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1375,6 +1377,8 @@ ApplyPatch acpi-video-Add-force-native-backlight-quirk-for-Leno.patch
ApplyPatch Revert-drm-i915-Ensure-plane-state-fb-stays-in-sync-.patch
+ApplyPatch net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2225,7 +2229,8 @@ fi
#
#
%changelog
-* Mon Mar 23 2015 Josh Boyer <jwboyer at fedoraproject.org> - 4.0.0-0.rc5.git0.1
+* Mon Mar 23 2015 Josh Boyer <jwboyer at fedoraproject.org> - 4.0.0-0.rc5.git0.3
+- Validate iovec range in sys_sendto/sys_recvfrom
- Revert i915 commit that causes boot hangs on at least some headless machines
- Linux v4.0-rc5
diff --git a/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch b/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
new file mode 100644
index 0000000..d82fb0f
--- /dev/null
+++ b/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
@@ -0,0 +1,37 @@
+From: Al Viro <viro at ZenIV.linux.org.uk>
+Date: Fri, 20 Mar 2015 17:41:43 +0000
+Subject: [PATCH] net: validate the range we feed to iov_iter_init() in
+ sys_sendto/sys_recvfrom
+
+Cc: stable at vger.kernel.org # v3.19
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/socket.c b/net/socket.c
+index bbedbfcb42c2..245330ca0015 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1702,6 +1702,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
+
+ if (len > INT_MAX)
+ len = INT_MAX;
++ if (unlikely(!access_ok(VERIFY_READ, buff, len)))
++ return -EFAULT;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
+@@ -1760,6 +1762,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+
+ if (size > INT_MAX)
+ size = INT_MAX;
++ if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
++ return -EFAULT;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
+--
+2.1.0
+
More information about the scm-commits
mailing list