oss-sec mailing list archives
Re: CVE request: kernel: integer overflow in RDS
From: Eugene Teo <eugene () redhat com>
Date: Thu, 18 Nov 2010 09:39:12 +0800
On 11/18/2010 12:58 AM, Dan Rosenberg wrote:
In rds_cmsg_rdma_args(), the user-provided args->nr_local value is restricted to less than UINT_MAX. This needs a tighter upper bound, since the calculation of total iov_size can overflow, resulting in a small sock_kmalloc() allocation. This would probably just result in walking off the heap and crashing when calling rds_rdma_pages() with a high count value. If it somehow doesn't crash here, then memory corruption could occur soon after. This is closely related to CVE-2010-3865 (http://www.spinics.net/lists/netdev/msg145359.html), which also concerned various integer overflow and memory corruption issues in rds_cmsg_rdma_args(). In fact, I'd say it's due to an incomplete fix. Reference: http://marc.info/?l=linux-netdev&m=129001184803080&w=2
Please use CVE-2010-4175. Thanks. Eugene -- main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
Current thread:
- CVE request: kernel: integer overflow in RDS Dan Rosenberg (Nov 17)
- Re: CVE request: kernel: integer overflow in RDS Eugene Teo (Nov 17)