From 21d9caca015ac2705129abfe784cbba5d7dc46ec Mon Sep 17 00:00:00 2001 From: Nicolas Thill Date: Wed, 19 Aug 2009 11:28:50 +0000 Subject: [PATCH] [kernel] fix possible NULL pointer dereference in sock_sendpage() - CVE-2009-2692 SVN-Revision: 17308 --- .../generic-2.4/patches/901-CVE-2009-2692.patch | 14 ++++++++++++++ .../patches-2.6.23/996-cve-2009-2692.patch | 13 +++++++++++++ .../patches-2.6.24/996-cve-2009-2692.patch | 13 +++++++++++++ .../patches-2.6.25/996-cve-2009-2692.patch | 13 +++++++++++++ .../patches-2.6.26/996-cve-2009-2692.patch | 13 +++++++++++++ 5 files changed, 66 insertions(+) create mode 100644 target/linux/generic-2.4/patches/901-CVE-2009-2692.patch create mode 100644 target/linux/generic-2.6/patches-2.6.23/996-cve-2009-2692.patch create mode 100644 target/linux/generic-2.6/patches-2.6.24/996-cve-2009-2692.patch create mode 100644 target/linux/generic-2.6/patches-2.6.25/996-cve-2009-2692.patch create mode 100644 target/linux/generic-2.6/patches-2.6.26/996-cve-2009-2692.patch diff --git a/target/linux/generic-2.4/patches/901-CVE-2009-2692.patch b/target/linux/generic-2.4/patches/901-CVE-2009-2692.patch new file mode 100644 index 0000000000..641c87ddff --- /dev/null +++ b/target/linux/generic-2.4/patches/901-CVE-2009-2692.patch @@ -0,0 +1,14 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 + +--- a/net/socket.c ++++ b/net/socket.c +@@ -607,6 +607,9 @@ ssize_t sock_sendpage(struct file *file, + if (more) + flags |= MSG_MORE; + ++ if (!sock->ops->sendpage) ++ return sock_no_sendpage(sock, page, offset, size, flags); ++ + return sock->ops->sendpage(sock, page, offset, size, flags); + } + diff --git a/target/linux/generic-2.6/patches-2.6.23/996-cve-2009-2692.patch b/target/linux/generic-2.6/patches-2.6.23/996-cve-2009-2692.patch new file mode 100644 index 0000000000..faf5ec35fc --- /dev/null +++ b/target/linux/generic-2.6/patches-2.6.23/996-cve-2009-2692.patch @@ -0,0 +1,13 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 + +--- a/net/socket.c ++++ b/net/socket.c +@@ -687,7 +687,7 @@ static ssize_t sock_sendpage(struct file + if (more) + flags |= MSG_MORE; + +- return sock->ops->sendpage(sock, page, offset, size, flags); ++ return kernel_sendpage(sock, page, offset, size, flags); + } + + static struct sock_iocb *alloc_sock_iocb(struct kiocb *iocb, diff --git a/target/linux/generic-2.6/patches-2.6.24/996-cve-2009-2692.patch b/target/linux/generic-2.6/patches-2.6.24/996-cve-2009-2692.patch new file mode 100644 index 0000000000..19214b8316 --- /dev/null +++ b/target/linux/generic-2.6/patches-2.6.24/996-cve-2009-2692.patch @@ -0,0 +1,13 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 + +--- a/net/socket.c ++++ b/net/socket.c +@@ -688,7 +688,7 @@ static ssize_t sock_sendpage(struct file + if (more) + flags |= MSG_MORE; + +- return sock->ops->sendpage(sock, page, offset, size, flags); ++ return kernel_sendpage(sock, page, offset, size, flags); + } + + static struct sock_iocb *alloc_sock_iocb(struct kiocb *iocb, diff --git a/target/linux/generic-2.6/patches-2.6.25/996-cve-2009-2692.patch b/target/linux/generic-2.6/patches-2.6.25/996-cve-2009-2692.patch new file mode 100644 index 0000000000..1910c36740 --- /dev/null +++ b/target/linux/generic-2.6/patches-2.6.25/996-cve-2009-2692.patch @@ -0,0 +1,13 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 + +--- a/net/socket.c ++++ b/net/socket.c +@@ -692,7 +692,7 @@ static ssize_t sock_sendpage(struct file + if (more) + flags |= MSG_MORE; + +- return sock->ops->sendpage(sock, page, offset, size, flags); ++ return kernel_sendpage(sock, page, offset, size, flags); + } + + static ssize_t sock_splice_read(struct file *file, loff_t *ppos, diff --git a/target/linux/generic-2.6/patches-2.6.26/996-cve-2009-2692.patch b/target/linux/generic-2.6/patches-2.6.26/996-cve-2009-2692.patch new file mode 100644 index 0000000000..1910c36740 --- /dev/null +++ b/target/linux/generic-2.6/patches-2.6.26/996-cve-2009-2692.patch @@ -0,0 +1,13 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 + +--- a/net/socket.c ++++ b/net/socket.c +@@ -692,7 +692,7 @@ static ssize_t sock_sendpage(struct file + if (more) + flags |= MSG_MORE; + +- return sock->ops->sendpage(sock, page, offset, size, flags); ++ return kernel_sendpage(sock, page, offset, size, flags); + } + + static ssize_t sock_splice_read(struct file *file, loff_t *ppos, -- 2.30.2