rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Validate iovec range in sys_sendto/sys_recvfrom

This commit is contained in:
Josh Boyer 2015-03-23 15:09:12 -04:00
parent bcef09ff1a
commit c2afb20ca9
3 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
kernel.spec
View File

@ -654,6 +654,8 @@ Patch26172: x86-microcode-intel-Guard-against-stack-overflow-in-.patch
Patch30000: kernel-arm64.patch
Patch30001: aarch64-fix-tlb-issues.patch
Patch26173: net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
# END OF PATCH DEFINITIONS
%endif
@ -1418,6 +1420,8 @@ ApplyPatch kernel-arm64.patch -R
%endif
%endif
ApplyPatch net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
# END OF PATCH APPLICATIONS
%endif
@ -2278,6 +2282,7 @@ fi
# || ||
%changelog
* Mon Mar 23 2015 Josh Boyer <jwboyer@fedoraproject.org>
- Validate iovec range in sys_sendto/sys_recvfrom
- CVE-2015-2666 execution in the early microcode loader (rhbz 1204724 1204722)
* Mon Mar 23 2015 Peter Robinson <pbrobinson@fedoraproject.org>

37
net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch Normal file
View File

@ -0,0 +1,37 @@
From: Al Viro <viro@ZenIV.linux.org.uk>
Date: Fri, 20 Mar 2015 17:41:43 +0000
Subject: [PATCH] net: validate the range we feed to iov_iter_init() in
sys_sendto/sys_recvfrom
Cc: stable@vger.kernel.org # v3.19
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/socket.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/socket.c b/net/socket.c
index 418795caa897..d50e7ca6aeea 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
if (len > INT_MAX)
len = INT_MAX;
+ if (unlikely(!access_ok(VERIFY_READ, buff, len)))
+ return -EFAULT;
sock = sockfd_lookup_light(fd, &err, &fput_needed);
if (!sock)
goto out;
@@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
if (size > INT_MAX)
size = INT_MAX;
+ if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
+ return -EFAULT;
sock = sockfd_lookup_light(fd, &err, &fput_needed);
if (!sock)
goto out;
--
2.1.0

1
x86-microcode-intel-Guard-against-stack-overflow-in-.patch
View File

@ -1,4 +1,3 @@
From 4423997d1e2f479f98b8f0c7ad733607f361ed76 Mon Sep 17 00:00:00 2001
From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Date: Tue, 3 Feb 2015 13:00:22 +0100
Subject: [PATCH] x86/microcode/intel: Guard against stack overflow in the