tags/2.6.13-4/1007_1_sendmsg-DoS.patch

From security-bounces@linux.kernel.org  Wed Aug 31 02:55:24 2005
Date: Wed, 31 Aug 2005 10:55:12 +0100 (BST)
From: Mark J Cox <mjc@redhat.com>
Cc: aviro@redhat.com, davem@redhat.com
Subject: [PATCH] raw_sendmsg DoS (CAN-2005-2492)

From: Al Viro <aviro@redhat.com>

Fix unchecked __get_user that could be tricked into generating a
memory read on an arbitrary address.  The result of the read is not
returned directly but you may be able to divine some information about
it, or use the read to cause a crash on some architectures by reading
hardware state.  CAN-2005-2492.

Fix from Al Viro, ack from Dave Miller.

Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 net/ipv4/raw.c |    2 +-
 net/ipv6/raw.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Index: linux-2.6.13.y/net/ipv4/raw.c
===================================================================
--- linux-2.6.13.y.orig/net/ipv4/raw.c
+++ linux-2.6.13.y/net/ipv4/raw.c
@@ -358,7 +358,7 @@ static void raw_probe_proto_opt(struct f
 
                        if (type && code) {
                                get_user(fl->fl_icmp_type, type);
-                               __get_user(fl->fl_icmp_code, code);
+                               get_user(fl->fl_icmp_code, code);
                                probed = 1;
                        }
                        break;
Index: linux-2.6.13.y/net/ipv6/raw.c
===================================================================
--- linux-2.6.13.y.orig/net/ipv6/raw.c
+++ linux-2.6.13.y/net/ipv6/raw.c
@@ -619,7 +619,7 @@ static void rawv6_probe_proto_opt(struct
 
                        if (type && code) {
                                get_user(fl->fl_icmp_type, type);
-                               __get_user(fl->fl_icmp_code, code);
+                               get_user(fl->fl_icmp_code, code);
                                probed = 1;
                        }
                        break;
1	From security-bounces@linux.kernel.org Wed Aug 31 02:55:24 2005
2	Date: Wed, 31 Aug 2005 10:55:12 +0100 (BST)
3	From: Mark J Cox <mjc@redhat.com>
4	Cc: aviro@redhat.com, davem@redhat.com
5	Subject: [PATCH] raw_sendmsg DoS (CAN-2005-2492)
6
7	From: Al Viro <aviro@redhat.com>
8
9	Fix unchecked __get_user that could be tricked into generating a
10	memory read on an arbitrary address. The result of the read is not
11	returned directly but you may be able to divine some information about
12	it, or use the read to cause a crash on some architectures by reading
13	hardware state. CAN-2005-2492.
14
15	Fix from Al Viro, ack from Dave Miller.
16
17	Signed-off-by: Chris Wright <chrisw@osdl.org>
18	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
19	---
20	net/ipv4/raw.c \| 2 +-
21	net/ipv6/raw.c \| 2 +-
22	2 files changed, 2 insertions(+), 2 deletions(-)
23
24	Index: linux-2.6.13.y/net/ipv4/raw.c
25	===================================================================
26	--- linux-2.6.13.y.orig/net/ipv4/raw.c
27	+++ linux-2.6.13.y/net/ipv4/raw.c
28	@@ -358,7 +358,7 @@ static void raw_probe_proto_opt(struct f
29
30	if (type && code) {
31	get_user(fl->fl_icmp_type, type);
32	- __get_user(fl->fl_icmp_code, code);
33	+ get_user(fl->fl_icmp_code, code);
34	probed = 1;
35	}
36	break;
37	Index: linux-2.6.13.y/net/ipv6/raw.c
38	===================================================================
39	--- linux-2.6.13.y.orig/net/ipv6/raw.c
40	+++ linux-2.6.13.y/net/ipv6/raw.c
41	@@ -619,7 +619,7 @@ static void rawv6_probe_proto_opt(struct
42
43	if (type && code) {
44	get_user(fl->fl_icmp_type, type);
45	- __get_user(fl->fl_icmp_code, code);
46	+ get_user(fl->fl_icmp_code, code);
47	probed = 1;
48	}
49	break;