Red Hat Bugzilla – Bug 166249
CAN-2005-2490 sendmsg compat stack overflow
Last modified: 2015-01-04 17:21:35 EST
+++ This bug was initially created as a clone of Bug #166248 +++
See above bug for commentary and patch
Al Viro reported a flaw in sendmsg(). "When we copy 32bit ->msg_control contents
to kernel, we walk the same userland data twice without sanity checks on the
second pass. Moreover, if original looks small enough, we end up copying to
This is a kernel buffer overflow and therefore could lead to privilege escalation.
This affects 2.6 head, and from brief inspection the code in linux 2.6.9 is
similar and therefore RHEL4 is affected.
Marking as embargoed for now, needs reporting to vendor-sec and kernel@security
Notified email@example.com, vendor-sec.
Embargo set for one week, 20050907:12
Public 20050908, removing embargo