User: Password:
|
|
Subscribe / Log in / New account

[PATCH] raw_sendmsg DoS on 2.6

From:  Linux Kernel Mailing List <linux-kernel-AT-vger.kernel.org>
To:  git-commits-head-AT-vger.kernel.org
Subject:  [PATCH] raw_sendmsg DoS on 2.6
Date:  Tue, 20 Sep 2005 14:00:55 -0700
Archive-link:  Article, Thread

tree 458323fe234aef3e5b96abf153feec48fe8a84df
parent 997a51ae373df6484cdd4a5fc61a9c9bec82cd68
author Mark J Cox <mjc@redhat.com> Tue, 20 Sep 2005 07:55:30 -0700
committer Linus Torvalds <torvalds@g5.osdl.org> Tue, 20 Sep 2005 08:45:42 -0700

[PATCH] raw_sendmsg DoS on 2.6

Fix unchecked __get_user that could be tricked into generating a
memory read on an arbitrary address.  The result of the read is not
returned directly but you may be able to divine some information about
it, or use the read to cause a crash on some architectures by reading
hardware state.  CAN-2004-2492.

Fix from Al Viro, ack from Dave Miller.

Signed-off-by: Linus Torvalds <torvalds@osdl.org>

 net/ipv4/raw.c |    2 +-
 net/ipv6/raw.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -361,7 +361,7 @@ static void raw_probe_proto_opt(struct f
 
 			if (type && code) {
 				get_user(fl->fl_icmp_type, type);
-				__get_user(fl->fl_icmp_code, code);
+			        get_user(fl->fl_icmp_code, code);
 				probed = 1;
 			}
 			break;
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -627,7 +627,7 @@ static void rawv6_probe_proto_opt(struct
 
 			if (type && code) {
 				get_user(fl->fl_icmp_type, type);
-				__get_user(fl->fl_icmp_code, code);
+				get_user(fl->fl_icmp_code, code);
 				probed = 1;
 			}
 			break;


(Log in to post comments)


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds