Date: Thu, 03 Mar 2011 22:47:44 +0800 From: Eugene Teo <eugene@...hat.com> To: oss-security@...ts.openwall.com CC: "Steven M. Christey" <coley@...us.mitre.org> Subject: CVE-2011-1023 kernel: rds: prevent BUG_ON triggering on congestion map updates This was discovered internally when testing CVE-2010-3904. http://marc.info/?l=linux-netdev&m=129908332903057&w=2 "Tracked it down to a flaw in the xmit methods for the loop and ib transports. Those two transports, when called with an rds message that has the RDS_FLAG_CONG_BITMAP set, execute a rds_cong_map_updated call and return. Since the xmit method requires that the number of bytes sent be returned, and a congestion map update doesn't really send any data, it just returns the sizeof an rds_header plus the defined size of the congestion map. This is problematic because the caller of these methods (rds_send_xmit), validates that we didn't send more data than was available in the passed rds_message. If the return value from ->xmit() is larger than the remaining data in the message, we bug halt, which is exactly what we get above. We could add a check to skip the bug on check if the RDS_FLAG_CONG_BITMAP flag is set, but I think the check is otherwise valid, so I've fixed it with this patch, which limits the return value in the effected transports to not be more than the remainig space in the rds_message." Thanks, Eugene -- Eugene Teo / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.