Linux Kernel do_io_submit () function Integer Overflow Vulnerability

Release date: 2010-09-21
Updated on: 2010-09-27

Affected Systems:
Linux kernel 2.6.x
Unaffected system:
Linux kernel 2.6.36-rc4
Description:
--------------------------------------------------------------------------------
Bugtraq id: 43353
CVE (CAN) ID: CVE-2010-3067

Linux Kernel is the Kernel used by open source Linux.

The do_io_submit function in the fs/aio. c file of Linux Kernel has the integer overflow vulnerability. Local Users can call io_submit to cause DOS.

The do_io_submit () function is called directly by the io_submit system:

SYSCALL_DEFINE3 (io_submit, aio_context_t, ctx_id, long, nr,
Struct iocb _ user *, iocbpp)
{
Return do_io_submit (ctx_id, nr, iocbpp, 0 );
}

Do_io_submit only checks whether nr is smaller than 0, but does not check whether the access_ OK product will overflow:

Long do_io_submit (aio_context_t ctx_id, long nr,
Struct iocb _ user * iocbpp, bool compat)
{
...
If (unlikely (! Access_ OK (VERIFY_READ, iocbpp, (nr * sizeof (* iocbpp )))))
Return-EFAULT;
...

This loop is used for _ get_user_nocheck (), which is not safe:

...
For (I = 0; I <nr; I ++ ){
Struct iocb _ user * user_iocb;
Struct iocb tmp;

If (unlikely (_ get_user (user_iocb, iocbpp + I ))){
Ret =-EFAULT;
Break;
}
...

<* Source: Tavis Ormandy (taviso@gentoo.org)

Link: http://secunia.com/advisories/41284/
Https://bugzilla.redhat.com/show_bug.cgi? Format = multiple & amp; id = 629441
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Linux
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://git.kernel.org /? P = linux/kernel/git/torvalds/linux-2.6.git; a = commit; h = 75e1c70fc31490ef8a373ea2a4bea2524099b478