| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Jul 2017 11:23:05 -0700
From: Cong Wang <xiyou.wangcong@...il.com>
To: David Ahern <dsahern@...il.com>
Cc: "Michael S. Tsirkin" <mst@...hat.com>,
Jason Wang <jasowang@...hat.com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: out-of-bounds access with virtio-net
On Wed, Jul 19, 2017 at 9:59 AM, David Ahern <dsahern@...il.com> wrote:
> Changing the mac address on a virtio-net based nic is triggering an
> out-of-bounds access. Nothing fancy with the command:
>
> ip li set dev eth2 addr 01:02:34:56:78:9a
>
> virtnet_set_mac_address is calling kmemdup for sizeof sockaddr, yet only
> ETH_ALEN + sizeof(sa_family_t) bytes were malloc'ed.
Previously we have a dev->addr_len longer than sizeof sockaddr,
now we a shorter one... This mac addr thing is really a mess currently.
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index d1ba90980be1..d13bebdf6465 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2031,7 +2031,7 @@ static int do_setlink(const struct sk_buff *skb,
struct sockaddr *sa;
int len;
- len = sizeof(sa_family_t) + dev->addr_len;
+ len = sizeof(sa_family_t) + max(dev->addr_len, sizeof(*sa));
sa = kmalloc(len, GFP_KERNEL);
if (!sa) {
err = -ENOMEM;
Powered by blists - more mailing lists