3.8.13.24 -stable review patch. If anyone has any objections, please let me know.
------------------ From: "Michael S. Tsirkin" <[email protected]> commit 1fd819ecb90cc9b822cd84d3056ddba315d3340f upstream. skb_segment copies frags around, so we need to copy them carefully to avoid accessing user memory after reporting completion to userspace through a callback. skb_segment doesn't normally happen on datapath: TSO needs to be disabled - so disabling zero copy in this case does not look like a big deal. Signed-off-by: Michael S. Tsirkin <[email protected]> Acked-by: Herbert Xu <[email protected]> Signed-off-by: David S. Miller <[email protected]> (back ported from commit 1fd819ecb90cc9b822cd84d3056ddba315d3340f) CVE-2014-0131 BugLink: http://bugs.launchpad.net/bugs/1298119 Signed-off-by: Luis Henriques <[email protected]> Signed-off-by: Kamal Mostafa <[email protected]> --- net/core/skbuff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index f97fe58..1cee7e3 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -2826,6 +2826,9 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) skb_put(nskb, hsize), hsize); while (pos < offset + len && i < nfrags) { + if (unlikely(skb_orphan_frags(skb, GFP_ATOMIC))) + goto err; + *frag = skb_shinfo(skb)->frags[i]; __skb_frag_ref(frag); size = skb_frag_size(frag); -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
