[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: CVE-2009-1265 kernel: af_rose/x25: Sanity check the maximum user frame size
From:       Willy Tarreau <w () 1wt ! eu>
Date:       2009-06-07 17:26:35
Message-ID: 20090607172635.GA29947 () 1wt ! eu
[Download RAW message or body]

On Thu, Apr 23, 2009 at 09:08:05AM +0200, Willy Tarreau wrote:
> On Thu, Apr 23, 2009 at 02:54:06PM +0800, Eugene Teo wrote:
> > Willy Tarreau wrote:
> > > Hi Eugene,
> > > 
> > > On Wed, Apr 08, 2009 at 03:58:55PM +0800, Eugene Teo wrote:
> > >> {nr,rose,x25}_sendmsg() functions need to have sanity checks on the
> > >> packet size, otherwise the sizes can wrap and end up sending garbage.
> > >>
> > >> http://bugzilla.kernel.org/show_bug.cgi?id=10423
> > >> http://git.kernel.org/linus/83e0bbcbe2145f160fbaa109b0439dae7f4a38a9
> > >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1265
> > >>
> > >> This affects both 2.4.x and 2.6.x if CONFIG_{NETROM,ROSE,X25} are enabled.
> > > 
> > > I already have it in my queue, just did not have time to merge it yet.
> > > Thanks for the reminder anyway, I really appreciate it ;-)
> > 
> > You will need this too :)
> > 
> > upstream commit: cc29c70dd581f85ee7a3e7980fb031f90b90a2ab
> > 
> > Patch "af_rose/x25: Sanity check the maximum user frame size"
> > (commit 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9) from Alan Cox got
> > locking wrong. If we bail out due to user frame size being too large,
> > we must unlock the socket beforehand.
> 
> OK thanks Eugene!
> Willy

Just checked, but nr_sendmsg() does not use lock_sock()/release_sock() in
2.4, so the patch above did not bring any regression. I don't know if this
lock is needed there. It has always been there in 2.6 and never in 2.4.
Either it's a long-time missed patch or just not needed here. I won't touch
it as I have no way to test it and nobody complains ;-)

Regards,
Willy

[prev in list] [next in list] [prev in thread] [next in thread]