| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Apr 2024 20:15:53 +0800 From: Edward Adam Davis <eadavis@...com> To: pmenzel@...gen.mpg.de Cc: netdev@...r.kernel.org, eadavis@...com, johan.hedberg@...il.com, linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org, luiz.dentz@...il.com, marcel@...tmann.org, syzbot+d4ecae01a53fd9b42e7d@...kaller.appspotmail.com, syzkaller-bugs@...glegroups.com Subject: [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int) The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in only 2 bytes being allocated when allocating memory to kernel_optval, and the optval size passed when calling the function copy_from_sockptr() is 4 bytes. Here, optlen is determined uniformly in the entry function __sys_setsockopt(). If its value is less than 4, the parameter is considered invalid. Reported-by: syzbot+837ba09d9db969068367@...kaller.appspotmail.com Reported-by: syzbot+b71011ec0a23f4d15625@...kaller.appspotmail.com Reported-by: syzbot+d4ecae01a53fd9b42e7d@...kaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@...com> --- net/socket.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/socket.c b/net/socket.c index e5f3af49a8b6..ac8fd4f6ebfe 100644 --- a/net/socket.c +++ b/net/socket.c @@ -2327,6 +2327,9 @@ int __sys_setsockopt(int fd, int level, int optname, char __user *user_optval, int err, fput_needed; struct socket *sock; + if (optlen < sizeof(int)) + return -EINVAL; + sock = sockfd_lookup_light(fd, &err, &fput_needed); if (!sock) return err; -- 2.43.0
Powered by blists - more mailing lists