linux kernel 2.6.35 Integer overflow in RDS cmsg

2011-01-12 / 2011-01-13
Credit: Dan Rosenberg
Risk: Low
Local: Yes
Remote: No
CWE: CWE-189


CVSS Base Score: 4.9/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

In rds_cmsg_rdma_args(), the user-provided args->nr_local value is restricted to less than UINT_MAX. This seems to need a tighter upper bound, since the calculation of total iov_size can overflow, resulting in a small sock_kmalloc() allocation. This would probably just result in walking off the heap and crashing when calling rds_rdma_pages() with a high count value. If it somehow doesn't crash here, then memory corruption could occur soon after. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> --- net/rds/rdma.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/rds/rdma.c b/net/rds/rdma.c index 8920f2a..0a969f6 100644 --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -567,7 +567,7 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm, goto out; } - if (args->nr_local > (u64)UINT_MAX) { + if (args->nr_local > (u64)UIO_MAXIOV) { ret = -EMSGSIZE; goto out; }

References:

http://www.openwall.com/lists/oss-security/2010/11/18/1
http://www.openwall.com/lists/oss-security/2010/11/17/8
http://marc.info/?l=linux-netdev&m=129001184803080&w=2


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top