oss-sec mailing list archives

CVE Request: Linux kernel: Buffer overflow when copying data from skbuff to userspace

From: Sabrina Dubroca <sd () queasysnail net>
Date: Tue, 27 Oct 2015 14:16:44 +0100

skb_copy_and_csum_datagram_iovec doesn't check the actual length of
the iovec's buffers to which it copies data, then memcpy_toiovec can
copy to an address that was not specified by userspace, but garbage
lying on the kernel stack.

In some cases, this address can be a valid userspace address, to which
memcpy_toiovec will write the buffers.
This can happen when userspace calls write followed by recvmsg.

In that case, memcpy_toiovec will dump the packet contents to the
buffer passed to the write call, and can for example overwrite stack
contents.

Patch has been submitted:
http://patchwork.ozlabs.org/patch/530642/

Versions affected:
stable kernels before v3.19 (3.x.y, x <= 18) that have backported
commit 89c22d8c3b27 ("net: Fix skb csum races when peeking")

v3.18.22
v3.14.54+
v3.12.48, v3.12.49
v3.10.90+
v3.2.72
3.16.7-ckt17, 3.16.7-ckt18
3.13.11-ckt27, 3.13.11-ckt28


Could we get a CVE for this?


Thanks,

-- 
Sabrina

Current thread:

CVE Request: Linux kernel: Buffer overflow when copying data from skbuff to userspace Sabrina Dubroca (Oct 27)
- Re: CVE Request: Linux kernel: Buffer overflow when copying data from skbuff to userspace cve-assign (Oct 28)