Bug 452096 - (CVE-2008-2750) CVE-2008-2750 kernel: l2tp: Fix potential memory corruption in pppol2tp-recvmsg() (Heap corruption DoS)
CVE-2008-2750 kernel: l2tp: Fix potential memory corruption in pppol2tp-recvm...
Status: CLOSED UPSTREAM
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
reported=20080610,public=20080610,imp...
: Security
Depends On: 452110 452111 452112
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-19 07:00 EDT by Jan Lieskovsky
Modified: 2010-12-23 14:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 14:07:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2008-06-19 07:00:33 EDT
Description of problem:

James Chapman has provided upstream 2.6.26-rc6 (based on Ilya's report)
for the following issue:

This patch fixes a potential memory corruption in
pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer
length, memcpy_toiovec() will go into unintialized data on the kernel
heap, interpret it as an iovec and start modifying memory.

The fix is to change the memcpy_toiovec() call to
skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP)
are handled properly. Also check that the caller's buffer is big
enough for the data and set the MSG_TRUNC flag if it is not so.

Version-Release number of selected component (if applicable):
All kernel versions containing support for L2TP protocol < 2.6.26-rc6


Additional info:

Proposed upstream patch for this issue from James Chapman:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6b6707a50c7598a83820077393f8823ab791abf8;hp=2e761e0532a784816e7e822dbaaece8c5d4be14d

Note You need to log in before you can comment on or make changes to this bug.