From e86e382c7531829b8366ed225c053784d0ec2c0d Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 11 Jun 2012 01:14:36 +0000 Subject: [PATCH] net: sock: validate data_len before allocating skb in sock_alloc_send_pskb() (CVE-2012-2136) svn path=/dists/sid/linux/; revision=19120 --- debian/changelog | 2 + ...e-data_len-before-allocating-skb-in-.patch | 48 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 51 insertions(+) create mode 100644 debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-.patch diff --git a/debian/changelog b/debian/changelog index 0dbb5e74c..1897afeb2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -49,6 +49,8 @@ linux (3.2.20-1) UNRELEASED; urgency=low * linux-source: Add single patch for each featureset * [x86] Enable CRASH_DUMP, PROC_VMCORE (Closes: #623177) * media/dvb: Enable DVB_DDBRIDGE as module (Closes: #676952) + * net: sock: validate data_len before allocating skb in + sock_alloc_send_pskb() (CVE-2012-2136) [ Bastian Blank ] * [s390/s390x,s390x/s390x] Build debugging symbols. diff --git a/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-.patch b/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-.patch new file mode 100644 index 000000000..86b0554bc --- /dev/null +++ b/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-.patch @@ -0,0 +1,48 @@ +From: Jason Wang +Date: Wed, 30 May 2012 21:18:10 +0000 +Subject: net: sock: validate data_len before allocating skb in + sock_alloc_send_pskb() + +commit cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc upstream. + +We need to validate the number of pages consumed by data_len, otherwise frags +array could be overflowed by userspace. So this patch validate data_len and +return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS. + +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +--- + net/core/sock.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 653f8c0..9e5b71f 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1592,6 +1592,11 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, + gfp_t gfp_mask; + long timeo; + int err; ++ int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT; ++ ++ err = -EMSGSIZE; ++ if (npages > MAX_SKB_FRAGS) ++ goto failure; + + gfp_mask = sk->sk_allocation; + if (gfp_mask & __GFP_WAIT) +@@ -1610,14 +1615,12 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, + if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) { + skb = alloc_skb(header_len, gfp_mask); + if (skb) { +- int npages; + int i; + + /* No pages, we're done... */ + if (!data_len) + break; + +- npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT; + skb->truesize += data_len; + skb_shinfo(skb)->nr_frags = npages; + for (i = 0; i < npages; i++) { diff --git a/debian/patches/series b/debian/patches/series index 88ca4c341..27fa4d5cf 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -317,3 +317,4 @@ debian/avoid-ABI-change-for-hidepid.patch bugfix/all/NFSv4-Reduce-the-footprint-of-the-idmapper.patch bugfix/all/NFSv4-Further-reduce-the-footprint-of-the-idmapper.patch +bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-.patch