[packages/kernel] - local root exploit fix (CVE-2013-1763)

[arekm]

commit 1f4141ff17511fe2e5a35c0180a9321d1c775f47
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Wed Feb 27 09:01:40 2013 +0100

    - local root exploit fix (CVE-2013-1763)

 kernel-small_fixes.patch | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
---
diff --git a/kernel-small_fixes.patch b/kernel-small_fixes.patch
index 2c20420..0660f7e 100644
--- a/kernel-small_fixes.patch
+++ b/kernel-small_fixes.patch
@@ -50,3 +50,33 @@ index 7a0c800..ec5ebbb 100644
 1.7.7.3
 
 
+commit 6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0
+Author: Mathias Krause <minipli at googlemail.com>
+Date:   Sat Feb 23 01:13:47 2013 +0000
+
+    sock_diag: Fix out-of-bounds access to sock_diag_handlers[]
+    
+    Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
+    with a family greater or equal then AF_MAX -- the array size of
+    sock_diag_handlers[]. The current code does not test for this
+    condition therefore is vulnerable to an out-of-bound access opening
+    doors for a privilege escalation.
+    
+    Signed-off-by: Mathias Krause <minipli at googlemail.com>
+    Acked-by: Eric Dumazet <edumazet at google.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
+index 602cd63..750f44f 100644
+--- a/net/core/sock_diag.c
++++ b/net/core/sock_diag.c
+@@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+ 	if (nlmsg_len(nlh) < sizeof(*req))
+ 		return -EINVAL;
+ 
++	if (req->sdiag_family >= AF_MAX)
++		return -EINVAL;
++
+ 	hndl = sock_diag_lock_handler(req->sdiag_family);
+ 	if (hndl == NULL)
+ 		err = -ENOENT;
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/kernel.git/commitdiff/1f4141ff17511fe2e5a35c0180a9321d1c775f47