Bug 165138 - Fix possible overflow of sock->sk_policy
Summary: Fix possible overflow of sock->sk_policy
Keywords:
Status: CLOSED DUPLICATE of bug 165560
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Dave Jones
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-08-04 16:26 UTC by Linda Wang
Modified: 2015-01-04 22:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-08-30 08:31:30 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Linda Wang 2005-08-04 16:26:40 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Red Hat/1.0.4-1.4.1 Firefox/1.0.4

Description of problem:
This one is user-triggerable (local only).  Oops should be trivial,
haven't convinced myself if priv-escalation is possible.  It's public
(upstream, and pending for -stable), so just an FYI.



Version-Release number of selected component (if applicable):
kernel-2.6.9-11

How reproducible:
Always

Steps to Reproduce:
1.boot the kernel
2.network related
3.
  

Additional info:

----- Forwarded message from Chris Wright <chrisw osdl org> -----

Date: Wed, 3 Aug 2005 00:01:27 -0700
From: Chris Wright <chrisw osdl org>
User-Agent: Mutt/1.5.6i
To: linux-kernel vger kernel org, stable kernel org
Cc: akpm osdl org, Theodore Ts'o <tytso mit edu>,
	Zwane Mwaikambo <zwane arm linux org uk>,
	Justin Forbes <jmforbes linuxtx org>,
	Randy Dunlap <rdunlap xenotime net>, torvalds osdl org,
	Chuck Wolber <chuckw quantumlinux com>,
	"David S. Miller" <davem davemloft net>, alan lxorguk ukuu org uk,
	Herbert Xu <herbert gondor apana org au>
Subject: [09/13] [XFRM]: Fix possible overflow of sock->sk_policy

-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Herbert Xu <herbert gondor apana org au>

[XFRM]: Fix possible overflow of sock->sk_policy

Spotted by, and original patch by, Balazs Scheidler.

Signed-off-by: Herbert Xu <herbert gondor apana org au>
Signed-off-by: David S. Miller <davem davemloft net>
Signed-off-by: Chris Wright <chrisw osdl org>
Signed-off-by: Greg Kroah-Hartman <gregkh suse de>
---
 net/xfrm/xfrm_user.c |    3 +++
 1 files changed, 3 insertions(+)

--- linux-2.6.12.3.orig/net/xfrm/xfrm_user.c	2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/net/xfrm/xfrm_user.c	2005-07-28 11:17:18.000000000 -0700
@@ -1180,6 +1180,9 @@
 	if (nr > XFRM_MAX_DEPTH)
 		return NULL;
 
+	if (p->dir > XFRM_POLICY_OUT)
+		return NULL;
+
 	xp = xfrm_policy_alloc(GFP_KERNEL);
 	if (xp == NULL) {
 		*dir = -ENOBUFS;

----- End forwarded message -----

Comment 1 Mark J. Cox 2005-08-30 08:31:30 UTC

*** This bug has been marked as a duplicate of 165560 ***


Note You need to log in before you can comment on or make changes to this bug.