Validate iovec range in sys_sendto/sys_recvfrom
This commit is contained in:
Josh Boyer
parent
68ca5f5500
commit
ebfb149da3
|
|
@ -42,7 +42,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 1
|
||||
%global baserelease 3
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
|
@ -635,6 +635,8 @@ Patch26171: acpi-video-Add-force-native-backlight-quirk-for-Leno.patch
|
|||
|
||||
Patch26172: Revert-drm-i915-Ensure-plane-state-fb-stays-in-sync-.patch
|
||||
|
||||
Patch26173: net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1375,6 +1377,8 @@ ApplyPatch acpi-video-Add-force-native-backlight-quirk-for-Leno.patch
|
|||
|
||||
ApplyPatch Revert-drm-i915-Ensure-plane-state-fb-stays-in-sync-.patch
|
||||
|
||||
ApplyPatch net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2225,7 +2229,8 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Mar 23 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.0.0-0.rc5.git0.1
|
||||
* Mon Mar 23 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.0.0-0.rc5.git0.3
|
||||
- Validate iovec range in sys_sendto/sys_recvfrom
|
||||
- Revert i915 commit that causes boot hangs on at least some headless machines
|
||||
- Linux v4.0-rc5
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,37 @@
|
|||
From: Al Viro <viro@ZenIV.linux.org.uk>
|
||||
Date: Fri, 20 Mar 2015 17:41:43 +0000
|
||||
Subject: [PATCH] net: validate the range we feed to iov_iter_init() in
|
||||
sys_sendto/sys_recvfrom
|
||||
|
||||
Cc: stable@vger.kernel.org # v3.19
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/socket.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/net/socket.c b/net/socket.c
|
||||
index bbedbfcb42c2..245330ca0015 100644
|
||||
--- a/net/socket.c
|
||||
+++ b/net/socket.c
|
||||
@@ -1702,6 +1702,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
|
||||
|
||||
if (len > INT_MAX)
|
||||
len = INT_MAX;
|
||||
+ if (unlikely(!access_ok(VERIFY_READ, buff, len)))
|
||||
+ return -EFAULT;
|
||||
sock = sockfd_lookup_light(fd, &err, &fput_needed);
|
||||
if (!sock)
|
||||
goto out;
|
||||
@@ -1760,6 +1762,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
|
||||
|
||||
if (size > INT_MAX)
|
||||
size = INT_MAX;
|
||||
+ if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
|
||||
+ return -EFAULT;
|
||||
sock = sockfd_lookup_light(fd, &err, &fput_needed);
|
||||
if (!sock)
|
||||
goto out;
|
||||
--
|
||||
2.1.0
|
||||
|
||||
Loading…
Reference in New Issue