Bug 457703 (CVE-2008-3535)

Summary: CVE-2008-3535 kernel: fix off-by-one error in iov_iter_advance()
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: lgoncalv, lwang, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 22:30:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 457705    
Bug Blocks:    
Description Flags
LTP testsuite package 20080630
Proposed backported patch for MRG kernel none

Description Eugene Teo (Security Response) 2008-08-04 02:45:06 UTC
Description of problem:
Alexey Dobriyan reported that it is possible to crash a machine by running ftest03 from the LTP test suite (20080630).

The iov_iter_advance() function would look at the iov->iov_len entry even though it might have iterated over the whole array, and iov was pointing past the end.  This would cause DEBUG_PAGEALLOC to trigger a kernel page fault if the allocation was at the end of a page, and the next page was unallocated.


Comment 2 Eugene Teo (Security Response) 2008-08-04 02:55:33 UTC
Created attachment 313297 [details]
LTP testsuite package 20080630

Comment 5 Eugene Teo (Security Response) 2008-08-04 03:29:43 UTC
Created attachment 313298 [details]
Proposed backported patch for MRG kernel

Comment 7 Vincent Danen 2010-12-23 22:30:09 UTC
This was addressed via:

MRG Realtime for RHEL 5 Server (RHSA-2008:0857)