| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Jan 2022 17:52:11 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Christoph Hellwig <hch@....de>, ralf@...ux-mips.org
Cc: davem@...emloft.net, kuba@...nel.org, linux-hams@...r.kernel.org,
netdev@...r.kernel.org
Subject: Re: [PATCH] netrom: fix copying in user data in nr_setsockopt
On Tue, Jan 04, 2022 at 10:21:26AM +0100, Christoph Hellwig wrote:
> This code used to copy in an unsigned long worth of data before
> the sockptr_t conversion, so restore that.
>
> Fixes: a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt")
> Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
> Signed-off-by: Christoph Hellwig <hch@....de>
> ---
> net/netrom/af_netrom.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
> index 775064cdd0ee4..f1ba7dd3d253d 100644
> --- a/net/netrom/af_netrom.c
> +++ b/net/netrom/af_netrom.c
> @@ -306,7 +306,7 @@ static int nr_setsockopt(struct socket *sock, int level, int optname,
> if (optlen < sizeof(unsigned int))
> return -EINVAL;
>
> - if (copy_from_sockptr(&opt, optval, sizeof(unsigned int)))
> + if (copy_from_sockptr(&opt, optval, sizeof(unsigned long)))
> return -EFAULT;
No this isn't right. In the original code, it copied an unsigned int.
if (get_user(opt, (unsigned int __user *)optval))
The fix is to probably to change "opt" to an unsigned int. I wonder if
I need to update all the integer overflow checks to from:
- if (opt > ULONG_MAX / HZ)
+ if (opt > UINT_MAX / HZ)
...
Probably no one cares, right? Ralf?
regards,
dan carpenter
Powered by blists - more mailing lists