Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Nov 2010 11:58:02 -0500
From: Dan Rosenberg <>
Subject: CVE request: kernel: integer overflow in RDS

In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX.  This needs a tighter upper bound,
since the calculation of total iov_size can overflow, resulting in a
small sock_kmalloc() allocation.  This would probably just result in
walking off the heap and crashing when calling rds_rdma_pages() with a
high count value.  If it somehow doesn't crash here, then memory
corruption could occur soon after.

This is closely related to CVE-2010-3865
(, which also
concerned various integer overflow and memory corruption issues in
rds_cmsg_rdma_args().  In fact, I'd say it's due to an incomplete fix.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ