Bugzilla – Bug 735810
VUL-0: CVE-2011-4594: kernel: send(m)msg: user pointer dereferences
Last modified: 2017-04-04 17:58:51 UTC
Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. CVE-2011-4594 ------------------------------------------------------------------------------ Date: Thu, 8 Dec 2011 20:15:48 +0100 From: Petr Matousek <pmatouse@redhat.com> Subject: [oss-security] CVE Request -- kernel: send(m)msg: user pointer dereferences Dereferencing a user pointer directly from kernel-space without going through the copy_from_user family of functions is a bad idea. Two of such usages can be found in the sendmsg code path called from sendmmsg, added by upstream commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a. Usages are performed through memcmp() and memcpy() directly. Upstream commit: bc909d9ddbf7778371e36a651d6e4194b1cc7d4c References: https://bugzilla.redhat.com/show_bug.cgi?id=761646 Thanks, -- Petr Matousek / Red Hat Security Response Team
introduced in commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Date: Thu Aug 4 14:07:40 2011 +0000 So it is in Linux 3.1 only (openSUSE 12.1)
The fix (bc909d9) was merged in 3.1-rc5, so openSUSE 12.1 is not affected. The bug was also backported to 3.0.2, but fixed in 3.0.5 again.