diff --git a/kernel.spec b/kernel.spec index 345b795..a4d9e5f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -42,7 +42,7 @@ Summary: The Linux kernel # When changing real_sublevel below, reset this by hand to 1 # (or to 0 and then use rpmdev-bumpspec). # -%global baserelease 3 +%global baserelease 4 %global fedora_build %{baserelease} # real_sublevel is the 3.x kernel version we're starting with @@ -680,6 +680,9 @@ Patch21004: vfs-fix-automount-for-negative-autofs-dentries.patch # rhbz#727927 rhbz#731278 rhbz#732934 Patch21005: cifs-fix-ERR_PTR-dereference-in-cifs_get_root.patch +# from 3.0.5 patch queue +Patch21006: sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch + %endif BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root @@ -1229,6 +1232,9 @@ ApplyPatch vfs-fix-automount-for-negative-autofs-dentries.patch # cifs-possible-memory-corruption-on-mount.patch is already queued for 3.0.4 ApplyPatch cifs-fix-ERR_PTR-dereference-in-cifs_get_root.patch +# from 3.0.5 patch queue +ApplyPatch sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch + # END OF PATCH APPLICATIONS %endif @@ -1849,6 +1855,9 @@ fi # and build. %changelog +* Tue Aug 30 2011 Chuck Ebbert 2.6.40.4-4 +- Fix unsafe pointer access in sendmsg/sendmmsg + * Mon Aug 29 2011 Chuck Ebbert 2.6.40.4-3 - Linux 3.0.4 diff --git a/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch b/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch new file mode 100644 index 0000000..0f85bd9 --- /dev/null +++ b/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch @@ -0,0 +1,60 @@ +From bc909d9ddbf7778371e36a651d6e4194b1cc7d4c Mon Sep 17 00:00:00 2001 +From: Mathieu Desnoyers +Date: Wed, 24 Aug 2011 19:45:03 -0700 +Subject: sendmmsg/sendmsg: fix unsafe user pointer access + +From: Mathieu Desnoyers + +commit bc909d9ddbf7778371e36a651d6e4194b1cc7d4c upstream. + +Dereferencing a user pointer directly from kernel-space without going +through the copy_from_user family of functions is a bad idea. Two of +such usages can be found in the sendmsg code path called from sendmmsg, +added by + +commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream. +commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree. + +Usages are performed through memcmp() and memcpy() directly. Fix those +by using the already copied msg_sys structure instead of the __user *msg +structure. Note that msg_sys can be set to NULL by verify_compat_iovec() +or verify_iovec(), which requires additional NULL pointer checks. + +Signed-off-by: Mathieu Desnoyers +Signed-off-by: David Goulet +CC: Tetsuo Handa +CC: Anton Blanchard +CC: David S. Miller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/socket.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -1965,8 +1965,9 @@ static int __sys_sendmsg(struct socket * + * used_address->name_len is initialized to UINT_MAX so that the first + * destination address never matches. + */ +- if (used_address && used_address->name_len == msg_sys->msg_namelen && +- !memcmp(&used_address->name, msg->msg_name, ++ if (used_address && msg_sys->msg_name && ++ used_address->name_len == msg_sys->msg_namelen && ++ !memcmp(&used_address->name, msg_sys->msg_name, + used_address->name_len)) { + err = sock_sendmsg_nosec(sock, msg_sys, total_len); + goto out_freectl; +@@ -1978,8 +1979,9 @@ static int __sys_sendmsg(struct socket * + */ + if (used_address && err >= 0) { + used_address->name_len = msg_sys->msg_namelen; +- memcpy(&used_address->name, msg->msg_name, +- used_address->name_len); ++ if (msg_sys->msg_name) ++ memcpy(&used_address->name, msg_sys->msg_name, ++ used_address->name_len); + } + + out_freectl: