From: Jiri Pirko <jpirko@redhat.com> Date: Sat, 15 Aug 2009 12:14:05 +0200 Subject: [net] make sock_sendpage use kernel_sendpage Message-Id: 20090815101404.GC3407@psychotron.englab.brq.redhat.com O-Subject: RHEL5.3.z patch] BZ517445 CVE-2009-2692 net/socket: make sock_sendpage() use kernel_sendpage() Bugzilla: 517445 Acked-by: Anton Arapov <aarapov@redhat.com> BZ517445 https://bugzilla.redhat.com/show_bug.cgi?id=517445 Description: The SOCKOPS_WRAP macro from include/linux/net.h doesn't initialise the sendpage operation in the proto_ops structure correctly. Leading to a kernel NULL pointer dereference, and thus a local privilege escalation. 5.5 patch failed to apply on 5.3.z tree because of the following commit: http://git.engineering.redhat.com/?p=users/dzickus/rhel5/kernel;a=commitdiff;h=22c7cbd43650a834878154e05db8cec273c4ceb6 This patch is a straight backport of upstream patch. Upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e694958388c50148389b0e9b9e9e8945cf0f1b98 Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=1929886 Please review and ack. Jirka Signed-off-by: Jiri Pirko <jpirko@redhat.com> diff --git a/net/socket.c b/net/socket.c index f63436e..fdf4644 100644 --- a/net/socket.c +++ b/net/socket.c @@ -701,7 +701,7 @@ static ssize_t sock_sendpage(struct file *file, struct page *page, if (more) flags |= MSG_MORE; - return sock->ops->sendpage(sock, page, offset, size, flags); + return kernel_sendpage(sock, page, offset, size, flags); } static struct sock_iocb *alloc_sock_iocb(struct kiocb *iocb,