Bug 457703 (CVE-2008-3535)

Summary: CVE-2008-3535 kernel: fix off-by-one error in iov_iter_advance()
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: lgoncalv, lwang, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 22:30:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 457705    
Bug Blocks:    
Attachments:
Description Flags
LTP testsuite package 20080630
none
Proposed backported patch for MRG kernel none

Description Eugene Teo (Security Response) 2008-08-04 02:45:06 UTC 
Description of problem:
Alexey Dobriyan reported that it is possible to crash a machine by running ftest03 from the LTP test suite (20080630).

The iov_iter_advance() function would look at the iov->iov_len entry even though it might have iterated over the whole array, and iov was pointing past the end.  This would cause DEBUG_PAGEALLOC to trigger a kernel page fault if the allocation was at the end of a page, and the next page was unallocated.

http://lkml.org/lkml/2008/7/30/446
Comment 1 Eugene Teo (Security Response) 2008-08-04 02:46:53 UTC 
Proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=94ad374a0751f40d25e22e036c37f7263569d24c
Comment 2 Eugene Teo (Security Response) 2008-08-04 02:55:33 UTC 
Created attachment 313297 [details]
LTP testsuite package 20080630
Comment 5 Eugene Teo (Security Response) 2008-08-04 03:29:43 UTC 
Created attachment 313298 [details]
Proposed backported patch for MRG kernel
Comment 7 Vincent Danen 2010-12-23 22:30:09 UTC 
This was addressed via:

MRG Realtime for RHEL 5 Server (RHSA-2008:0857)