validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom in kernel-net CVE-2015-2686 critical [released]
asked 2017-05-09 12:58:29 +0200
This post is a wiki. Anyone with karma >75 is welcome to improve it.
Description
net/socket.c in the Linux kernel - not just 3.19 http://www.securityfocus.com/bid/73286 - before 3.19.3 does not validate certain range data for (1) sendto and (2) recvfrom system calls, which allows local users to gain privileges by leveraging a subsystem that uses the copy_from_iter function in the iov_iter interface, as demonstrated by the Bluetooth subsystem. CVSSv3 7.8 high (attack range: local)
Upstream-Commit is available.
File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/socket.c lines:1707-1712; 1766-1771
edit20170523: seems to be rejected, why?
@jovirkku why is this "Rejected"?
lpr ( 2017-05-23 12:29:26 +0200 )edit@veskuh seems not to be too hard to fix this (4-liner), CVSSv3 base score 7.8 high, so why is it rejected?
lpr ( 2017-05-23 12:39:10 +0200 )editbecause in the Linux kernel 3.19 before 3.19.3
coderus ( 2017-05-23 14:14:51 +0200 )edit@coderusas you may know: Linux kernel 3.19 before 3.19.3 means Linux kernel 3.19 vanilla before 3.19.3 vanilla
lpr ( 2017-05-23 15:08:14 +0200 )editwe have no devices running 3.19 kernels :D
coderus ( 2017-05-23 18:17:25 +0200 )edit