CVE-2013-1828 sctp: SCTP_GET_ASSOC_STATS stack buffer overflow (rhbz 919315 919316)
This commit is contained in:
parent
aef219c581
commit
90b1fad492
|
@ -747,6 +747,9 @@ Patch22267: logitech-dj-do-not-directly-call-hid_output_raw_report-during-probe.
|
|||
#rhbz 916444
|
||||
Patch22268: dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch
|
||||
|
||||
#CVE-2013-1828 rhbz 919315 919316
|
||||
Patch22269: net-sctp-Validate-parameter-size-for-SCTP_GET_ASSOC_.patch
|
||||
|
||||
#rhbz 812111
|
||||
Patch24000: alps.patch
|
||||
|
||||
|
@ -1468,6 +1471,9 @@ ApplyPatch logitech-dj-do-not-directly-call-hid_output_raw_report-during-probe.p
|
|||
#rhbz 916444
|
||||
ApplyPatch dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch
|
||||
|
||||
#CVE-2013-1828 rhbz 919315 919316
|
||||
ApplyPatch net-sctp-Validate-parameter-size-for-SCTP_GET_ASSOC_.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2324,6 +2330,9 @@ fi
|
|||
# '-' | |
|
||||
# '-'
|
||||
%changelog
|
||||
* Fri Mar 08 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-1828 sctp: SCTP_GET_ASSOC_STATS stack buffer overflow (rhbz 919315 919316)
|
||||
|
||||
* Fri Mar 8 2013 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Have kernel provide kernel-highbank for upgrade to unified
|
||||
- Update mvebu configs
|
||||
|
|
|
@ -0,0 +1,54 @@
|
|||
From 726bc6b092da4c093eb74d13c07184b18c1af0f1 Mon Sep 17 00:00:00 2001
|
||||
From: Guenter Roeck <linux@roeck-us.net>
|
||||
Date: Wed, 27 Feb 2013 10:57:31 +0000
|
||||
Subject: [PATCH] net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Building sctp may fail with:
|
||||
|
||||
In function ‘copy_from_user’,
|
||||
inlined from ‘sctp_getsockopt_assoc_stats’ at
|
||||
net/sctp/socket.c:5656:20:
|
||||
arch/x86/include/asm/uaccess_32.h:211:26: error: call to
|
||||
‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
|
||||
buffer size is not provably correct
|
||||
|
||||
if built with W=1 due to a missing parameter size validation
|
||||
before the call to copy_from_user.
|
||||
|
||||
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
|
||||
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/sctp/socket.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
|
||||
index cedd9bf..9ef5c73 100644
|
||||
--- a/net/sctp/socket.c
|
||||
+++ b/net/sctp/socket.c
|
||||
@@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
|
||||
if (len < sizeof(sctp_assoc_t))
|
||||
return -EINVAL;
|
||||
|
||||
+ /* Allow the struct to grow and fill in as much as possible */
|
||||
+ len = min_t(size_t, len, sizeof(sas));
|
||||
+
|
||||
if (copy_from_user(&sas, optval, len))
|
||||
return -EFAULT;
|
||||
|
||||
@@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
|
||||
/* Mark beginning of a new observation period */
|
||||
asoc->stats.max_obs_rto = asoc->rto_min;
|
||||
|
||||
- /* Allow the struct to grow and fill in as much as possible */
|
||||
- len = min_t(size_t, len, sizeof(sas));
|
||||
-
|
||||
if (put_user(len, optlen))
|
||||
return -EFAULT;
|
||||
|
||||
--
|
||||
1.8.1.2
|
||||
|
Loading…
Reference in New Issue