| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130318101007.GO9189@mwanda>
Date: Mon, 18 Mar 2013 13:10:07 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: netdev@...r.kernel.org
Subject: question about klen in move_addr_to_user()
Smatch complains that about a potential buffer overflow in
move_add_to_user()
net/socket.c
212 static int move_addr_to_user(struct sockaddr_storage *kaddr, int klen,
213 void __user *uaddr, int __user *ulen)
214 {
215 int err;
216 int len;
217
218 err = get_user(len, ulen);
219 if (err)
220 return err;
221 if (len > klen)
222 len = klen;
223 if (len < 0 || len > sizeof(struct sockaddr_storage))
224 return -EINVAL;
225 if (len) {
226 if (audit_sockaddr(klen, kaddr))
^^^^
Smatch complains that although "len" is capped here, "klen" hasn't
necessarily been. If "klen" is more than 128 bytes it leads to
memory corruption.
227 return -ENOMEM;
228 if (copy_to_user(uaddr, kaddr, len))
229 return -EFAULT;
230 }
The call tree is this:
__sys_recvmsg() gets the msg->msg_namelen from the user.
Normally the network protocols set msg->msg_namelen in their
->recvmsg() function but some don't like caif_seqpkt_recvmsg() and
recv_msg() for tipc.
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists