lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Sun, 8 Jun 2008 16:08:00 +0200
From:	Ilja <ilja@...ric.org>
To:	James Chapman <james@...ckie.katalix.com>, netdev@...r.kernel.org
Cc:	ilja@...ric.org
Subject: Re: [PATCH net-2.6] L2TP: Fix potential memory corruption in pppol2tp_recvmsg()

It would probably be a good idea to make skb_len an unsigned int iso signed
int. I don't think that it matters in this case, but better to be safe than
sorry. 

Regards,
Ilja van Sprundel.

--------- Oorspronkelijk bericht --------
Van: James Chapman <james@...ckie.katalix.com>
Naar: netdev@...r.kernel.org <netdev@...r.kernel.org>
Cc: ilja@...ric.org
Onderwerp: [PATCH net-2.6] L2TP: Fix potential memory corruption in
pppol2tp_recvmsg()
Datum: 08/06/08 18:01

> 
> This patch fixes a potential memory corruption in
> pppol2tp_recvmsg(). If skb-&gt;len is bigger than the caller's buffer
> length, memcpy_toiovec() will go into unintialized data on the kernel
> heap, interpret it as an iovec and start modifying memory.
> 
> The fix is to change the memcpy_toiovec() call to
> skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP)
> are handled properly. Also check that the caller's buffer is big
> enough for the data and drop it if it isn't so.
> 
> Reported-by: Ilja &lt;ilja@...ric.org&gt;
> Signed-off-by: James Chapman &lt;jchapman@...alix.com&gt;
> 
> --
> 
> A candidate for -stable?
> 
> Index: net-2.6/drivers/net/pppol2tp.c
> ===================================================================
> --- net-2.6.orig/drivers/net/pppol2tp.c
> +++ net-2.6/drivers/net/pppol2tp.c
> @@ -773,6 +773,7 @@ static int pppol2tp_recvmsg(struct kiocb
>  	int err;
>  	struct sk_buff *skb;
>  	struct sock *sk = sock-&gt;sk;
> +	int skb_len;
>  
>  	err = -EIO;
>  	if (sk-&gt;sk_state &amp; PPPOX_BOUND)
> @@ -783,14 +784,25 @@ static int pppol2tp_recvmsg(struct kiocb
>  	err = 0;
>  	skb = skb_recv_datagram(sk, flags &amp; ~MSG_DONTWAIT,
>  				flags &amp; MSG_DONTWAIT, &amp;err);
> -	if (skb) {
> -		err = memcpy_toiovec(msg-&gt;msg_iov, (unsigned char *) skb-&gt;data,
> -				     skb-&gt;len);
> -		if (err &lt; 0)
> -			goto do_skb_free;
> -		err = skb-&gt;len;
> -	}
> -do_skb_free:
> +	if (!skb)
> +		goto end;
> +
> +	skb_len = skb-&gt;len;
> +
> +	/* If caller did not provide a buffer big enough, drop the
> +	 * frame.  This path is used only for receiving PPP control
> +	 * frames (not user data) so PPP daemons should always use a
> +	 * buffer big enough for the largest expected control frame.
> +	 */
> +	err = -EMSGSIZE;
> +	if (unlikely(skb_len &gt; len))
> +		goto err_drop;
> +
> +	err = skb_copy_datagram_iovec(skb, 0, msg-&gt;msg_iov, skb_len);
> +	if (likely(err == 0))
> +		err = skb_len;
> +
> +err_drop:
>  	kfree_skb(skb);
>  end:
>  	return err;
> 


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists