| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20130227.152630.35846741651175869.davem@davemloft.net> Date: Wed, 27 Feb 2013 15:26:30 -0500 (EST) From: David Miller <davem@...emloft.net> To: dborkman@...hat.com Cc: linux@...ck-us.net, netdev@...r.kernel.org Subject: Re: [PATCH] net: af_packet: Validate parameter size for PACKET_HDRLEN control message From: Daniel Borkmann <dborkman@...hat.com> Date: Wed, 27 Feb 2013 21:22:17 +0100 > On 02/27/2013 08:46 PM, Guenter Roeck wrote: >> Building af_packet may fail with >> >> In function ‘copy_from_user’, >> inlined from ‘packet_getsockopt’ at >> net/packet/af_packet.c:3215:21: >> arch/x86/include/asm/uaccess_32.h:211:26: error: call to >> ‘copy_from_user_overflow’ declared with attribute error: >> copy_from_user() >> buffer size is not provably correct >> >> if built with W=1 due to a missing parameter size validation. >> >> Signed-off-by: Guenter Roeck <linux@...ck-us.net> >> --- >> net/packet/af_packet.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c >> index c7bfeff..1976b23 100644 >> --- a/net/packet/af_packet.c >> +++ b/net/packet/af_packet.c >> @@ -3210,6 +3210,8 @@ static int packet_getsockopt(struct socket >> *sock, int level, int optname, >> val = po->tp_version; >> break; >> case PACKET_HDRLEN: >> + if (len < sizeof(int)) >> + return -EINVAL; > > I think this could break some user space applications here, those who > e.g. only pass > an uint16_t to packet_getsockopt with PACKET_HDRLEN. Well, their shit is broken on big endian then.
Powered by blists - more mailing lists