Bug#327416: marked as done (CAN-2005-2490/CAN-2005-2492: Two sendmsg() related vulnerabilites)
Your message dated Sat, 5 Nov 2005 21:42:21 -0800 (PST)
with message-id <Pine.LNX.4.63.0511052139500.2920@bobcat>
and subject line CAN-2005-2490/CAN-2005-2492: Two sendmsg() related vulnerabilites
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
Received: (at submit) by bugs.debian.org; 9 Sep 2005 23:29:08 +0000
>From [hidden email] Fri Sep 09 16:29:08 2005
Return-path: <[hidden email]>
Received: from (vserver151.vserver151.serverflex.de) [126.96.36.199]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EDsIt-0002oA-00; Fri, 09 Sep 2005 16:29:07 -0700
Received: from dsl-084-059-136-208.arcor-ip.net ([188.8.131.52] helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
for [hidden email]; Sat, 10 Sep 2005 01:29:03 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.52)
id 1EDsJe-0001ps-KU; Sat, 10 Sep 2005 01:29:54 +0200
Content-Type: text/plain; charset="us-ascii"
From: Moritz Muehlenhoff <[hidden email]>
To: Debian Bug Tracking System <[hidden email]>
Subject: CAN-2005-2490/CAN-2005-2492: Two sendmsg() related vulnerabilites
X-Mailer: reportbug 3.17
Date: Sat, 10 Sep 2005 01:29:54 +0200
X-Debbugs-Cc: Debian Security Team <[hidden email]>
Message-Id: <[hidden email]>
X-SA-Exim-Mail-From: [hidden email] X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: [hidden email] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
[Severity important only, as amd64 is not yet officially in the archive]
These patches were posted as part of the stable review cycle on linux-kernel,
they're probably available in git already.
CAN-2005-2490: (local privilege escalation on amd64)
When we copy 32bit ->msg_control contents to kernel, we walk the same
userland data twice without sanity checks on the second pass.
Second version of this patch: the original broke with 64-bit arches
running 32-bit-compat-mode executables doing sendmsg() syscalls with
unaligned CMSG data areas
Another thing is that we use kmalloc() to allocate and sock_kfree_s()
to free afterwards; less serious, but also needs fixing.
CAN-2005-2492 (information leakage / DoS)
From: Al Viro <[hidden email]>
Fix unchecked __get_user that could be tricked into generating a
memory read on an arbitrary address. The result of the read is not
returned directly but you may be able to divine some information about
it, or use the read to cause a crash on some architectures by reading
hardware state. CAN-2005-2492.