Red Hat Bugzilla – Bug 457703
CVE-2008-3535 kernel: fix off-by-one error in iov_iter_advance()
Last modified: 2016-03-04 07:42:19 EST
Description of problem:
Alexey Dobriyan reported that it is possible to crash a machine by running ftest03 from the LTP test suite (20080630).
The iov_iter_advance() function would look at the iov->iov_len entry even though it might have iterated over the whole array, and iov was pointing past the end. This would cause DEBUG_PAGEALLOC to trigger a kernel page fault if the allocation was at the end of a page, and the next page was unallocated.
Proposed upstream patch:
Created attachment 313297 [details]
LTP testsuite package 20080630
Created attachment 313298 [details]
Proposed backported patch for MRG kernel
This was addressed via:
MRG Realtime for RHEL 5 Server (RHSA-2008:0857)