lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Nov 2017 22:26:26 +0100 From: Willy Tarreau <w@....eu> To: linux-kernel@...r.kernel.org, stable@...r.kernel.org, linux@...ck-us.net Cc: Alexander Potapenko <glider@...gle.com>, "David S . Miller" <davem@...emloft.net>, Willy Tarreau <w@....eu> Subject: [PATCH 3.10 085/139] net/packet: check length in getsockopt() called with PACKET_HDRLEN From: Alexander Potapenko <glider@...gle.com> commit fd2c83b35752f0a8236b976978ad4658df14a59f upstream. In the case getsockopt() is called with PACKET_HDRLEN and optlen < 4 |val| remains uninitialized and the syscall may behave differently depending on its value, and even copy garbage to userspace on certain architectures. To fix this we now return -EINVAL if optlen is too small. This bug has been detected with KMSAN. Signed-off-by: Alexander Potapenko <glider@...gle.com> Signed-off-by: David S. Miller <davem@...emloft.net> Signed-off-by: Willy Tarreau <w@....eu> --- net/packet/af_packet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 0bbb347..b915d01 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3338,6 +3338,8 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); + if (len < sizeof(int)) + return -EINVAL; if (copy_from_user(&val, optval, len)) return -EFAULT; switch (val) { -- 2.8.0.rc2.1.gbe9624a
Powered by blists - more mailing lists