| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1338360383.2760.84.camel@edumazet-glaptop>
Date: Wed, 30 May 2012 08:46:23 +0200
From: Eric Dumazet <eric.dumazet@...il.com>
To: Jason Wang <jasowang@...hat.com>
Cc: netdev@...r.kernel.org, davem@...emloft.net,
linux-kernel@...r.kernel.org, stable@...r.kernel.org,
mst@...hat.com
Subject: Re: [PATCH] net: sock: validate data_len before allocating skb in
sock_alloc_send_pskb()
On Wed, 2012-05-30 at 13:47 +0800, Jason Wang wrote:
> We need to validate the number of pages consumed by data_len, otherwise frags
> array could be overflowed by userspace. So this patch validate data_len and
> return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.
>
> Cc: stable@...r.kernel.org [2.6.27+]
> Signed-off-by: Jason Wang <jasowang@...hat.com>
> ---
> net/core/sock.c | 8 ++++++--
> 1 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/net/core/sock.c b/net/core/sock.c
> index 653f8c0..4ad5fa5 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -1599,6 +1599,7 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
>
> timeo = sock_sndtimeo(sk, noblock);
> while (1) {
> + int npages;
> err = sock_error(sk);
> if (err != 0)
> goto failure;
> @@ -1607,17 +1608,20 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
> if (sk->sk_shutdown & SEND_SHUTDOWN)
> goto failure;
>
> + err = -EMSGSIZE;
> + npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
> + if (npages > MAX_SKB_FRAGS)
> + goto failure;
> +
> if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
> skb = alloc_skb(header_len, gfp_mask);
> if (skb) {
> - int npages;
> int i;
>
> /* No pages, we're done... */
> if (!data_len)
> break;
>
> - npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
> skb->truesize += data_len;
> skb_shinfo(skb)->nr_frags = npages;
> for (i = 0; i < npages; i++) {
>
Why doing this test in the while (1) block, it should be done before the
loop...
Or even in the caller, note net/unix/af_unix.c does this right.
if (len > SKB_MAX_ALLOC)
data_len = min_t(size_t,
len - SKB_MAX_ALLOC,
MAX_SKB_FRAGS * PAGE_SIZE);
skb = sock_alloc_send_pskb(sk, len - data_len, data_len,
msg->msg_flags & MSG_DONTWAIT, &err);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists