From: Jiri Pirko <jpirko@redhat.com>
Date: Sat, 15 Aug 2009 12:14:05 +0200
Subject: [net] make sock_sendpage use kernel_sendpage
Message-Id: 20090815101404.GC3407@psychotron.englab.brq.redhat.com
O-Subject: RHEL5.3.z patch] BZ517445 CVE-2009-2692 net/socket: make sock_sendpage() use kernel_sendpage()
Bugzilla: 517445
Acked-by: Anton Arapov <aarapov@redhat.com>

BZ517445
https://bugzilla.redhat.com/show_bug.cgi?id=517445

Description:
The SOCKOPS_WRAP macro from include/linux/net.h doesn't initialise the sendpage
operation in the proto_ops structure correctly. Leading to a kernel NULL
pointer dereference, and thus a local privilege escalation.

5.5 patch failed to apply on 5.3.z tree because of the following commit:
http://git.engineering.redhat.com/?p=users/dzickus/rhel5/kernel;a=commitdiff;h=22c7cbd43650a834878154e05db8cec273c4ceb6

This patch is a straight backport of upstream patch.

Upstream:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e694958388c50148389b0e9b9e9e8945cf0f1b98

Brew:
https://brewweb.devel.redhat.com/taskinfo?taskID=1929886

Please review and ack.

Jirka

Signed-off-by: Jiri Pirko <jpirko@redhat.com>

diff --git a/net/socket.c b/net/socket.c
index f63436e..fdf4644 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -701,7 +701,7 @@ static ssize_t sock_sendpage(struct file *file, struct page *page,
 	if (more)
 		flags |= MSG_MORE;
 
-	return sock->ops->sendpage(sock, page, offset, size, flags);
+	return kernel_sendpage(sock, page, offset, size, flags);
 }
 
 static struct sock_iocb *alloc_sock_iocb(struct kiocb *iocb,