oss-security - Re: Re: CVE-2009-1265 kernel: af_rose/x25: Sanity check the maximum user frame size

Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Thu, 23 Apr 2009 09:08:05 +0200
From: Willy Tarreau <w@....eu>
To: Eugene Teo <eugene@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: CVE-2009-1265 kernel: af_rose/x25: Sanity check the maximum user frame size

On Thu, Apr 23, 2009 at 02:54:06PM +0800, Eugene Teo wrote:
> Willy Tarreau wrote:
> > Hi Eugene,
> > 
> > On Wed, Apr 08, 2009 at 03:58:55PM +0800, Eugene Teo wrote:
> >> {nr,rose,x25}_sendmsg() functions need to have sanity checks on the
> >> packet size, otherwise the sizes can wrap and end up sending garbage.
> >>
> >> http://bugzilla.kernel.org/show_bug.cgi?id=10423
> >> http://git.kernel.org/linus/83e0bbcbe2145f160fbaa109b0439dae7f4a38a9
> >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1265
> >>
> >> This affects both 2.4.x and 2.6.x if CONFIG_{NETROM,ROSE,X25} are enabled.
> > 
> > I already have it in my queue, just did not have time to merge it yet.
> > Thanks for the reminder anyway, I really appreciate it ;-)
> 
> You will need this too :)
> 
> upstream commit: cc29c70dd581f85ee7a3e7980fb031f90b90a2ab
> 
> Patch "af_rose/x25: Sanity check the maximum user frame size"
> (commit 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9) from Alan Cox got
> locking wrong. If we bail out due to user frame size being too large,
> we must unlock the socket beforehand.

OK thanks Eugene!
Willy

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.