lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Sep 2017 00:19:37 +0000 From: "Levin, Alexander (Sasha Levin)" <alexander.levin@...izon.com> To: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "stable@...r.kernel.org" <stable@...r.kernel.org> Cc: Alexander Potapenko <glider@...gle.com>, "David S . Miller" <davem@...emloft.net>, "Levin, Alexander (Sasha Levin)" <alexander.levin@...izon.com> Subject: [PATCH for 4.9 02/39] net/packet: check length in getsockopt() called with PACKET_HDRLEN From: Alexander Potapenko <glider@...gle.com> [ Upstream commit fd2c83b35752f0a8236b976978ad4658df14a59f ] In the case getsockopt() is called with PACKET_HDRLEN and optlen < 4 |val| remains uninitialized and the syscall may behave differently depending on its value, and even copy garbage to userspace on certain architectures. To fix this we now return -EINVAL if optlen is too small. This bug has been detected with KMSAN. Signed-off-by: Alexander Potapenko <glider@...gle.com> Signed-off-by: David S. Miller <davem@...emloft.net> Signed-off-by: Sasha Levin <alexander.levin@...izon.com> --- net/packet/af_packet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index ae7bfd26cd91..2cf706f7defa 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3878,6 +3878,8 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); + if (len < sizeof(int)) + return -EINVAL; if (copy_from_user(&val, optval, len)) return -EFAULT; switch (val) { -- 2.11.0
Powered by blists - more mailing lists