validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom in kernel-net CVE-2015-2686 critical

Tracked by Jolla (Rejected)

asked 2017-05-09 12:58:29 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-05-09 13:00:25 +0300

lpr gravatar image

Description
net/socket.c in the Linux kernel 3.19 before 3.19.3 does not validate certain range data for (1) sendto and (2) recvfrom system calls, which allows local users to gain privileges by leveraging a subsystem that uses the copy_from_iter function in the iov_iter interface, as demonstrated by the Bluetooth subsystem. CVSSv3 7.8 high (attack range: local)

Upstream-Commit is available.

File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/socket.c lines:1707-1712; 1766-1771

edit retag flag offensive close delete