Bug 165138 - Fix possible overflow of sock->sk_policy
Fix possible overflow of sock->sk_policy
Status: CLOSED DUPLICATE of bug 165560
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Dave Jones
Brian Brock
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-04 12:26 EDT by Linda Wang
Modified: 2015-01-04 17:21 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-30 04:31:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Linda Wang 2005-08-04 12:26:40 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Red Hat/1.0.4-1.4.1 Firefox/1.0.4

Description of problem:
This one is user-triggerable (local only).  Oops should be trivial,
haven't convinced myself if priv-escalation is possible.  It's public
(upstream, and pending for -stable), so just an FYI.



Version-Release number of selected component (if applicable):
kernel-2.6.9-11

How reproducible:
Always

Steps to Reproduce:
1.boot the kernel
2.network related
3.
  

Additional info:

----- Forwarded message from Chris Wright <chrisw osdl org> -----

Date: Wed, 3 Aug 2005 00:01:27 -0700
From: Chris Wright <chrisw osdl org>
User-Agent: Mutt/1.5.6i
To: linux-kernel vger kernel org, stable kernel org
Cc: akpm osdl org, Theodore Ts'o <tytso mit edu>,
	Zwane Mwaikambo <zwane arm linux org uk>,
	Justin Forbes <jmforbes linuxtx org>,
	Randy Dunlap <rdunlap xenotime net>, torvalds osdl org,
	Chuck Wolber <chuckw quantumlinux com>,
	"David S. Miller" <davem davemloft net>, alan lxorguk ukuu org uk,
	Herbert Xu <herbert gondor apana org au>
Subject: [09/13] [XFRM]: Fix possible overflow of sock->sk_policy

-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Herbert Xu <herbert gondor apana org au>

[XFRM]: Fix possible overflow of sock->sk_policy

Spotted by, and original patch by, Balazs Scheidler.

Signed-off-by: Herbert Xu <herbert gondor apana org au>
Signed-off-by: David S. Miller <davem davemloft net>
Signed-off-by: Chris Wright <chrisw osdl org>
Signed-off-by: Greg Kroah-Hartman <gregkh suse de>
---
 net/xfrm/xfrm_user.c |    3 +++
 1 files changed, 3 insertions(+)

--- linux-2.6.12.3.orig/net/xfrm/xfrm_user.c	2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/net/xfrm/xfrm_user.c	2005-07-28 11:17:18.000000000 -0700
@@ -1180,6 +1180,9 @@
 	if (nr > XFRM_MAX_DEPTH)
 		return NULL;
 
+	if (p->dir > XFRM_POLICY_OUT)
+		return NULL;
+
 	xp = xfrm_policy_alloc(GFP_KERNEL);
 	if (xp == NULL) {
 		*dir = -ENOBUFS;

----- End forwarded message -----
Comment 1 Mark J. Cox (Product Security) 2005-08-30 04:31:30 EDT

*** This bug has been marked as a duplicate of 165560 ***

Note You need to log in before you can comment on or make changes to this bug.