Validate iovec range in sys_sendto/sys_recvfrom

2015-03-23 15:09:12 -04:00 · 2015-03-23 15:09:12 -04:00 · ebfb149da3
commit ebfb149da3
parent 68ca5f5500
2 changed files with 44 additions and 2 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -42,7 +42,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 1
+%global baserelease 3
 %global fedora_build %{baserelease}

 # base_sublevel is the kernel version we're starting with and patching
@ -635,6 +635,8 @@ Patch26171: acpi-video-Add-force-native-backlight-quirk-for-Leno.patch

 Patch26172: Revert-drm-i915-Ensure-plane-state-fb-stays-in-sync-.patch

+Patch26173: net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -1375,6 +1377,8 @@ ApplyPatch acpi-video-Add-force-native-backlight-quirk-for-Leno.patch

 ApplyPatch Revert-drm-i915-Ensure-plane-state-fb-stays-in-sync-.patch

+ApplyPatch net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2225,7 +2229,8 @@ fi
 #
 # 
 %changelog
-* Mon Mar 23 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.0.0-0.rc5.git0.1
+* Mon Mar 23 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.0.0-0.rc5.git0.3
+- Validate iovec range in sys_sendto/sys_recvfrom
 - Revert i915 commit that causes boot hangs on at least some headless machines
 - Linux v4.0-rc5

--- a/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
+++ b/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
@ -0,0 +1,37 @@
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Fri, 20 Mar 2015 17:41:43 +0000
+Subject: [PATCH] net: validate the range we feed to iov_iter_init() in
+ sys_sendto/sys_recvfrom
+
+Cc: stable@vger.kernel.org # v3.19
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/socket.c b/net/socket.c
+index bbedbfcb42c2..245330ca0015 100644
+--- a/net/socket.c
+++ b/net/socket.c
+@@ -1702,6 +1702,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
+ 
+ 	if (len > INT_MAX)
+ 		len = INT_MAX;
+	if (unlikely(!access_ok(VERIFY_READ, buff, len)))
+		return -EFAULT;
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (!sock)
+ 		goto out;
+@@ -1760,6 +1762,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+ 
+ 	if (size > INT_MAX)
+ 		size = INT_MAX;
+	if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
+		return -EFAULT;
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (!sock)
+ 		goto out;
+-- 
+2.1.0
+