[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: kernel: integer overflow in RDS
From:       Eugene Teo <eugene () redhat ! com>
Date:       2010-11-18 1:39:12
Message-ID: 4CE483C0.4090800 () redhat ! com
[Download RAW message or body]

On 11/18/2010 12:58 AM, Dan Rosenberg wrote:
> In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
> restricted to less than UINT_MAX.  This needs a tighter upper bound,
> since the calculation of total iov_size can overflow, resulting in a
> small sock_kmalloc() allocation.  This would probably just result in
> walking off the heap and crashing when calling rds_rdma_pages() with a
> high count value.  If it somehow doesn't crash here, then memory
> corruption could occur soon after.
>
> This is closely related to CVE-2010-3865
> (http://www.spinics.net/lists/netdev/msg145359.html), which also
> concerned various integer overflow and memory corruption issues in
> rds_cmsg_rdma_args().  In fact, I'd say it's due to an incomplete fix.
>
> Reference:
> http://marc.info/?l=linux-netdev&m=129001184803080&w=2

Please use CVE-2010-4175. Thanks.

Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
[prev in list] [next in list] [prev in thread] [next in thread]