commit 218854af84038d828a32f061858b1902ed2beec6 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

rds: Integer overflow in RDS cmsg handling

In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX. This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation. This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value. If it somehow doesn't crash here, then memory
corruption could occur soon after.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by Dan Rosenberg and committed by David S. Miller 15 years ago 218854af 7d98ffd8

+1 -1

1 changed file

expand all

unified split

net

rds

rdma.c

+1 -1

net/rds/rdma.c

··· 567 goto out; 568 } 569 570 - if (args->nr_local > (u64)UINT_MAX) { 571 ret = -EMSGSIZE; 572 goto out; 573 }

··· 567 goto out; 568 } 569 570 + if (args->nr_local > UIO_MAXIOV) { 571 ret = -EMSGSIZE; 572 goto out; 573 }