oss-sec mailing list archives
CVE Request: Linux kernel: Buffer overflow when copying data from skbuff to userspace
From: Sabrina Dubroca <sd () queasysnail net>
Date: Tue, 27 Oct 2015 14:16:44 +0100
skb_copy_and_csum_datagram_iovec doesn't check the actual length of the iovec's buffers to which it copies data, then memcpy_toiovec can copy to an address that was not specified by userspace, but garbage lying on the kernel stack. In some cases, this address can be a valid userspace address, to which memcpy_toiovec will write the buffers. This can happen when userspace calls write followed by recvmsg. In that case, memcpy_toiovec will dump the packet contents to the buffer passed to the write call, and can for example overwrite stack contents. Patch has been submitted: http://patchwork.ozlabs.org/patch/530642/ Versions affected: stable kernels before v3.19 (3.x.y, x <= 18) that have backported commit 89c22d8c3b27 ("net: Fix skb csum races when peeking") v3.18.22 v3.14.54+ v3.12.48, v3.12.49 v3.10.90+ v3.2.72 3.16.7-ckt17, 3.16.7-ckt18 3.13.11-ckt27, 3.13.11-ckt28 Could we get a CVE for this? Thanks, -- Sabrina
Current thread:
- CVE Request: Linux kernel: Buffer overflow when copying data from skbuff to userspace Sabrina Dubroca (Oct 27)