Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 03 Mar 2011 22:47:44 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE-2011-1023 kernel: rds: prevent BUG_ON triggering on congestion
 map updates

This was discovered internally when testing CVE-2010-3904.

http://marc.info/?l=linux-netdev&m=129908332903057&w=2

"Tracked it down to a flaw in the xmit methods for the loop and ib 
transports. Those two transports, when called with an rds message that 
has the RDS_FLAG_CONG_BITMAP set, execute a rds_cong_map_updated call 
and return.  Since the xmit method requires that the number of bytes 
sent be returned, and a congestion map update doesn't really send any 
data, it just returns the sizeof an rds_header plus the defined size of 
the congestion map.  This is problematic because the caller of these 
methods (rds_send_xmit), validates that we didn't send more data than 
was available in the passed rds_message.  If the return value from 
->xmit() is larger than the remaining data in the message, we bug halt, 
which is exactly what we get above.  We could add a check to skip the 
bug on check if the RDS_FLAG_CONG_BITMAP flag is set, but I think the 
check is otherwise valid, so I've fixed it with this patch, which limits 
the return value in the effected transports to not be more than the 
remainig space in the rds_message."

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.