** Description changed:

- Placeholder
+ next_pidmap: fix overflow condition
+ 
+ next_pidmap() just quietly accepted whatever 'last' pid that was passed
+ in, which is not all that safe when one of the users is /proc.
+ 
+ Admittedly the proc code should do some sanity checking on the range
+ (and that will be the next commit), but that doesn't mean that the
+ helper functions should just do that pidmap pointer arithmetic without
+ checking the range of its arguments.
+ 
+ So clamp 'last' to PID_MAX_LIMIT.  The fact that we then do "last+1"
+ doesn't really matter, the for-loop does check against the end of the
+ pidmap array properly (it's only the actual pointer arithmetic overflow
+ case we need to worry about, and going one bit beyond isn't going to
+ overflow).

** Description changed:

  next_pidmap: fix overflow condition
  
  next_pidmap() just quietly accepted whatever 'last' pid that was passed
  in, which is not all that safe when one of the users is /proc.
  
  Admittedly the proc code should do some sanity checking on the range
  (and that will be the next commit), but that doesn't mean that the
  helper functions should just do that pidmap pointer arithmetic without
  checking the range of its arguments.
  
  So clamp 'last' to PID_MAX_LIMIT.  The fact that we then do "last+1"
  doesn't really matter, the for-loop does check against the end of the
  pidmap array properly (it's only the actual pointer arithmetic overflow
  case we need to worry about, and going one bit beyond isn't going to
  overflow).
+ 
+ ---
+ 
+ proc: do proper range check on readdir offset
+ 
+ Rather than pass in some random truncated offset to the pid-related
+ functions, check that the offset is in range up-front.

** Changed in: linux (Ubuntu Dapper)
       Status: New => Invalid

** Changed in: linux-fsl-imx51 (Ubuntu Dapper)
       Status: New => Invalid

** Changed in: linux-lts-backport-maverick (Ubuntu Dapper)
       Status: New => Invalid

** Changed in: linux-mvl-dove (Ubuntu Dapper)
       Status: New => Invalid

** Changed in: linux-ti-omap4 (Ubuntu Dapper)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/784727

Title:
  CVE-2011-1593

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to