This is a note to let you know that I've just added the patch titled
rds: Integer overflow in RDS cmsg handling
to the 2.6.36-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
rds-integer-overflow-in-rds-cmsg-handling.patch
and it can be found in the queue-2.6.36 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 218854af84038d828a32f061858b1902ed2beec6 Mon Sep 17 00:00:00 2001
From: Dan Rosenberg <[email protected]>
Date: Wed, 17 Nov 2010 06:37:16 +0000
Subject: rds: Integer overflow in RDS cmsg handling
From: Dan Rosenberg <[email protected]>
commit 218854af84038d828a32f061858b1902ed2beec6 upstream.
In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX. This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation. This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value. If it somehow doesn't crash here, then memory
corruption could occur soon after.
Signed-off-by: Dan Rosenberg <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/rds/rdma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -474,7 +474,7 @@ static struct rds_rdma_op *rds_rdma_prep
goto out;
}
- if (args->nr_local > (u64)UINT_MAX) {
+ if (args->nr_local > UIO_MAXIOV) {
ret = -EMSGSIZE;
goto out;
}
Patches currently in stable-queue which might be from [email protected]
are
queue-2.6.36/rds-integer-overflow-in-rds-cmsg-handling.patch
queue-2.6.36/can-bcm-fix-minor-heap-overflow.patch
queue-2.6.36/x25-prevent-crashing-when-parsing-bad-x.25-facilities.patch
queue-2.6.36/block-limit-vec-count-in-bio_kmalloc-and-bio_alloc_map_data.patch
queue-2.6.36/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
queue-2.6.36/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
queue-2.6.36/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch
queue-2.6.36/filter-make-sure-filters-dont-read-uninitialized-memory.patch
queue-2.6.36/decnet-don-t-leak-uninitialized-stack-byte.patch
queue-2.6.36/block-take-care-not-to-overflow-when-calculating-total-iov-length.patch
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
