diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-03-14 08:44:02 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-03-14 08:44:11 -0400 |
commit | f721d46cf60ce310d6ff2e061cc17289ba795200 (patch) | |
tree | fa871c5788b057af587338da176000d3c0afc110 | |
parent | 45ab0ced853762fe12435810849e70268dc0a46b (diff) | |
download | kernel-f721d46cf60ce310d6ff2e061cc17289ba795200.tar.gz kernel-f721d46cf60ce310d6ff2e061cc17289ba795200.tar.xz kernel-f721d46cf60ce310d6ff2e061cc17289ba795200.zip |
CVE-2016-3135 netfilter: size overflow in x_tables (rhbz 1317386 1317387)
-rw-r--r-- | kernel.spec | 6 | ||||
-rw-r--r-- | netfilter-x_tables-check-for-size-overflow.patch | 31 |
2 files changed, 37 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index af22cf783..dea176571 100644 --- a/kernel.spec +++ b/kernel.spec @@ -616,6 +616,9 @@ Patch649: perf-tools-Fix-python-extension-build.patch #rhbz 1316136 Patch663: USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch +#CVE-2016-3135 rhbz 1317386 1317387 +Patch664: netfilter-x_tables-check-for-size-overflow.patch + # END OF PATCH DEFINITIONS %endif @@ -2137,6 +2140,9 @@ fi # # %changelog +* Mon Mar 14 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3135 netfilter: size overflow in x_tables (rhbz 1317386 1317387) + * Fri Mar 11 2016 Josh Boyer <jwboyer@fedoraproject.org> - Add patch for ICP DAS I-756xU devices (rhbz 1316136) diff --git a/netfilter-x_tables-check-for-size-overflow.patch b/netfilter-x_tables-check-for-size-overflow.patch new file mode 100644 index 000000000..81e3d36fa --- /dev/null +++ b/netfilter-x_tables-check-for-size-overflow.patch @@ -0,0 +1,31 @@ +Subject: [PATCH nf] netfilter: x_tables: check for size overflow +From: Florian Westphal <fw () strlen ! de> +Date: 2016-03-10 0:56:23 + +Ben Hawkes says: + integer overflow in xt_alloc_table_info, which on 32-bit systems can + lead to small structure allocation and a copy_from_user based heap + corruption. + +Reported-by: Ben Hawkes <hawkes@google.com> +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + net/netfilter/x_tables.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index c8a0b7d..17a9a9f 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -659,6 +659,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) + struct xt_table_info *info = NULL; + size_t sz = sizeof(*info) + size; + ++ if (sz < sizeof(*info)) ++ return NULL; ++ + /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ + if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) + return NULL; +-- +2.4.10 |