Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Wed, 18 Jun 2008 18:18:40 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com, security@...nel.org
Subject: query on a pppol2tp_recvmsg() fix - security relevant?

Hi folks,

A customer asks us if the following is a security problem:

http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.26-rc6
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6b6707a50c7598a83820077393f8823ab791abf8

--
l2tp: Fix potential memory corruption in pppol2tp_recvmsg()

    This patch fixes a potential memory corruption in
    pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer
    length, memcpy_toiovec() will go into unintialized data on the kernel
    heap, interpret it as an iovec and start modifying memory.

    The fix is to change the memcpy_toiovec() call to
    skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP)
    are handled properly. Also check that the caller's buffer is big
    enough for the data and set the MSG_TRUNC flag if it is not so.

    Reported-by: Ilja <ilja@...ric.org>
    Signed-off-by: James Chapman <jchapman@...alix.com>
    Signed-off-by: David S. Miller <davem@...emloft.net>


Is this a problem?

Ciao, Marcus

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux