Validate iovec range in sys_sendto/sys_recvfrom
This commit is contained in:
parent
bcef09ff1a
commit
c2afb20ca9
|
@ -654,6 +654,8 @@ Patch26172: x86-microcode-intel-Guard-against-stack-overflow-in-.patch
|
|||
Patch30000: kernel-arm64.patch
|
||||
Patch30001: aarch64-fix-tlb-issues.patch
|
||||
|
||||
Patch26173: net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1418,6 +1420,8 @@ ApplyPatch kernel-arm64.patch -R
|
|||
%endif
|
||||
%endif
|
||||
|
||||
ApplyPatch net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2278,6 +2282,7 @@ fi
|
|||
# || ||
|
||||
%changelog
|
||||
* Mon Mar 23 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Validate iovec range in sys_sendto/sys_recvfrom
|
||||
- CVE-2015-2666 execution in the early microcode loader (rhbz 1204724 1204722)
|
||||
|
||||
* Mon Mar 23 2015 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
From: Al Viro <viro@ZenIV.linux.org.uk>
|
||||
Date: Fri, 20 Mar 2015 17:41:43 +0000
|
||||
Subject: [PATCH] net: validate the range we feed to iov_iter_init() in
|
||||
sys_sendto/sys_recvfrom
|
||||
|
||||
Cc: stable@vger.kernel.org # v3.19
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/socket.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/net/socket.c b/net/socket.c
|
||||
index 418795caa897..d50e7ca6aeea 100644
|
||||
--- a/net/socket.c
|
||||
+++ b/net/socket.c
|
||||
@@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
|
||||
|
||||
if (len > INT_MAX)
|
||||
len = INT_MAX;
|
||||
+ if (unlikely(!access_ok(VERIFY_READ, buff, len)))
|
||||
+ return -EFAULT;
|
||||
sock = sockfd_lookup_light(fd, &err, &fput_needed);
|
||||
if (!sock)
|
||||
goto out;
|
||||
@@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
|
||||
|
||||
if (size > INT_MAX)
|
||||
size = INT_MAX;
|
||||
+ if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
|
||||
+ return -EFAULT;
|
||||
sock = sockfd_lookup_light(fd, &err, &fput_needed);
|
||||
if (!sock)
|
||||
goto out;
|
||||
--
|
||||
2.1.0
|
||||
|
|
@ -1,4 +1,3 @@
|
|||
From 4423997d1e2f479f98b8f0c7ad733607f361ed76 Mon Sep 17 00:00:00 2001
|
||||
From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
|
||||
Date: Tue, 3 Feb 2015 13:00:22 +0100
|
||||
Subject: [PATCH] x86/microcode/intel: Guard against stack overflow in the
|
||||
|
|
Loading…
Reference in New Issue