| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Jul 2015 09:00:25 -0300
From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To: David Miller <davem@...emloft.net>
Cc: netdev@...r.kernel.org, vyasevich@...il.com
Subject: Re: [PATCH net] sctp: fix sockopt size check
On Wed, Jul 29, 2015 at 05:07:31PM -0700, David Miller wrote:
> From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
> Date: Tue, 28 Jul 2015 11:16:23 -0300
>
> > The problem is not on being bigger than what we want, but on being
> > smaller, as it causes read of invalid memory.
> >
> > Note that the struct changes on commit 7e8616d8e773 didn't affect
> > sctp_setsockopt_events one but that's where this check was flipped.
> >
> > Fixes: 7e8616d8e773 ("[SCTP]: Update AUTH structures to match
> > declarations in draft-16.")
> > Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
>
> This makes things worse.
>
> The copy_from_user() call is bounded by optlen, so if you allow it to
> be any arbitrary large value the user can write past the end of the
> structure, corrupting kernel memory.
Indeed. I should have changed copy_from_user() to copy the size of the
struct too. But then the issue I thought there was, there isn't and it
just allows partial updates, as it won't read any further than optlen.
> No, the test is correct, or at least necessary, as-is.
Yes. Please drop this. Thanks.
Marcelo
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists