CVE-2010-4668: kernel panic with 0-length IOV
This commit is contained in:
Chuck Ebbert
parent
1f90e5b6f6
commit
aee782a97f
|
|
@ -0,0 +1,38 @@
|
|||
From: Xiaotian Feng <dfeng@redhat.com>
|
||||
Date: Mon, 29 Nov 2010 09:03:55 +0000 (+0100)
|
||||
Subject: block: check for proper length of iov entries earlier in blk_rq_map_user_iov()
|
||||
X-Git-Tag: v2.6.37-rc7~10^2~5
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=54787556
|
||||
|
||||
block: check for proper length of iov entries earlier in blk_rq_map_user_iov()
|
||||
|
||||
commit 9284bcf checks for proper length of iov entries in
|
||||
blk_rq_map_user_iov(). But if the map is unaligned, kernel
|
||||
will break out the loop without checking for the proper length.
|
||||
So we need to check the proper length before the unalign check.
|
||||
|
||||
Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
|
||||
---
|
||||
|
||||
diff --git a/block/blk-map.c b/block/blk-map.c
|
||||
index 5d5dbe4..e663ac2 100644
|
||||
--- a/block/blk-map.c
|
||||
+++ b/block/blk-map.c
|
||||
@@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
|
||||
for (i = 0; i < iov_count; i++) {
|
||||
unsigned long uaddr = (unsigned long)iov[i].iov_base;
|
||||
|
||||
+ if (!iov[i].iov_len)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (uaddr & queue_dma_alignment(q)) {
|
||||
unaligned = 1;
|
||||
break;
|
||||
}
|
||||
- if (!iov[i].iov_len)
|
||||
- return -EINVAL;
|
||||
}
|
||||
|
||||
if (unaligned || (q->dma_pad_mask & len) || map_data)
|
||||
15
kernel.spec
15
kernel.spec
|
|
@ -769,10 +769,10 @@ Patch13651: kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch
|
|||
|
||||
Patch13652: fix-i8k-inline-asm.patch
|
||||
|
||||
Patch13702: inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch
|
||||
Patch13704: netlink-make-nlmsg_find_attr-take-a-const-ptr.patch
|
||||
Patch13653: inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch
|
||||
Patch13654: netlink-make-nlmsg_find_attr-take-a-const-ptr.patch
|
||||
|
||||
Patch13703: posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
|
||||
Patch13658: posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
|
||||
|
||||
Patch13660: rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch
|
||||
Patch13661: rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch
|
||||
|
|
@ -799,6 +799,9 @@ Patch13698: net-AF_PACKET-vmalloc.patch
|
|||
Patch13700: e1000e-cleanup-e1000_sw_lcd_config_ich8lan.patch
|
||||
Patch13701: e1000e-82566DC-fails-to-get-link.patch
|
||||
|
||||
# CVE-2010-4668
|
||||
Patch13702: block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
|
||||
|
||||
%endif
|
||||
|
||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||
|
|
@ -1504,6 +1507,9 @@ ApplyPatch net-AF_PACKET-vmalloc.patch
|
|||
ApplyPatch e1000e-cleanup-e1000_sw_lcd_config_ich8lan.patch
|
||||
ApplyPatch e1000e-82566DC-fails-to-get-link.patch
|
||||
|
||||
# CVE-2010-4668
|
||||
ApplyPatch block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2090,6 +2096,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Mon Jan 10 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||
- CVE-2010-4668: kernel panic with 0-length IOV
|
||||
|
||||
* Thu Jan 06 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||
- Fix failure to get link with e1000e model 82576DC (#652744)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue