diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2015-03-23 15:09:12 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2015-03-23 15:10:23 -0400 |
| commit | ebfb149da321e85bbc4aef8776db0ec30ca94d38 (patch) | |
| tree | ced1f5fd9e900cb6e1fb1979d34cf77201a651c5 | |
| parent | 68ca5f550091e7cf5946b4416ee6a15c3a5fa871 (diff) | |
| download | kernel-ebfb149da321e85bbc4aef8776db0ec30ca94d38.tar.gz kernel-ebfb149da321e85bbc4aef8776db0ec30ca94d38.tar.xz kernel-ebfb149da321e85bbc4aef8776db0ec30ca94d38.zip | |
Validate iovec range in sys_sendto/sys_recvfrom
| -rw-r--r-- | kernel.spec | 9 | ||||
| -rw-r--r-- | net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch | 37 |
2 files changed, 44 insertions, 2 deletions
diff --git a/kernel.spec b/kernel.spec index dde1ea17c..c8876ed15 100644 --- a/kernel.spec +++ b/kernel.spec @@ -42,7 +42,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 3 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -635,6 +635,8 @@ Patch26171: acpi-video-Add-force-native-backlight-quirk-for-Leno.patch Patch26172: Revert-drm-i915-Ensure-plane-state-fb-stays-in-sync-.patch +Patch26173: net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch + # END OF PATCH DEFINITIONS %endif @@ -1375,6 +1377,8 @@ ApplyPatch acpi-video-Add-force-native-backlight-quirk-for-Leno.patch ApplyPatch Revert-drm-i915-Ensure-plane-state-fb-stays-in-sync-.patch +ApplyPatch net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch + # END OF PATCH APPLICATIONS %endif @@ -2225,7 +2229,8 @@ fi # # %changelog -* Mon Mar 23 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.0.0-0.rc5.git0.1 +* Mon Mar 23 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.0.0-0.rc5.git0.3 +- Validate iovec range in sys_sendto/sys_recvfrom - Revert i915 commit that causes boot hangs on at least some headless machines - Linux v4.0-rc5 diff --git a/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch b/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch new file mode 100644 index 000000000..d82fb0f51 --- /dev/null +++ b/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch @@ -0,0 +1,37 @@ +From: Al Viro <viro@ZenIV.linux.org.uk> +Date: Fri, 20 Mar 2015 17:41:43 +0000 +Subject: [PATCH] net: validate the range we feed to iov_iter_init() in + sys_sendto/sys_recvfrom + +Cc: stable@vger.kernel.org # v3.19 +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/socket.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/socket.c b/net/socket.c +index bbedbfcb42c2..245330ca0015 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -1702,6 +1702,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len, + + if (len > INT_MAX) + len = INT_MAX; ++ if (unlikely(!access_ok(VERIFY_READ, buff, len))) ++ return -EFAULT; + sock = sockfd_lookup_light(fd, &err, &fput_needed); + if (!sock) + goto out; +@@ -1760,6 +1762,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, + + if (size > INT_MAX) + size = INT_MAX; ++ if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size))) ++ return -EFAULT; + sock = sockfd_lookup_light(fd, &err, &fput_needed); + if (!sock) + goto out; +-- +2.1.0 + |