RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332)
This commit is contained in:
parent
2ae3c9e4a7
commit
24cdd62c17
|
@ -1,3 +1,9 @@
|
|||
linux (4.14.13-2) UNRELEASED; urgency=medium
|
||||
|
||||
* RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332)
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Tue, 16 Jan 2018 20:50:23 +0100
|
||||
|
||||
linux (4.14.13-1) unstable; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
From: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Date: Tue, 2 Jan 2018 19:44:34 +0000
|
||||
Subject: RDS: Heap OOB write in rds_message_alloc_sgs()
|
||||
Origin: https://git.kernel.org/linus/c095508770aebf1b9218e77026e48345d719b17c
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5332
|
||||
|
||||
When args->nr_local is 0, nr_pages gets also 0 due some size
|
||||
calculation via rds_rm_size(), which is later used to allocate
|
||||
pages for DMA, this bug produces a heap Out-Of-Bound write access
|
||||
to a specific memory region.
|
||||
|
||||
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/rds/rdma.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/net/rds/rdma.c b/net/rds/rdma.c
|
||||
index bc2f1e0977d6..94729d9da437 100644
|
||||
--- a/net/rds/rdma.c
|
||||
+++ b/net/rds/rdma.c
|
||||
@@ -525,6 +525,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
|
||||
|
||||
local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;
|
||||
|
||||
+ if (args->nr_local == 0)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
/* figure out the number of pages in the vector */
|
||||
for (i = 0; i < args->nr_local; i++) {
|
||||
if (copy_from_user(&vec, &local_vec[i],
|
||||
--
|
||||
2.15.1
|
||||
|
|
@ -131,6 +131,7 @@ bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
|
|||
bugfix/all/bpf-encapsulate-verifier-log-state-into-a-structure.patch
|
||||
bugfix/all/bpf-move-global-verifier-log-into-verifier-environme.patch
|
||||
bugfix/all/bpf-fix-integer-overflows.patch
|
||||
bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue