| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20191205055419.13435-1-ebiggers@kernel.org>
Date: Wed, 4 Dec 2019 21:54:19 -0800
From: Eric Biggers <ebiggers@...nel.org>
To: Arnd Bergmann <arnd@...db.de>, Al Viro <viro@...iv.linux.org.uk>
Cc: Paul Mackerras <paulus@...ba.org>, bpf@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-ppp@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
syzbot <syzbot+eb853b51b10f1befa0b7@...kaller.appspotmail.com>,
syzkaller-bugs@...glegroups.com
Subject: [PATCH] ppp: fix out-of-bounds access in bpf_prog_create()
From: Eric Biggers <ebiggers@...gle.com>
sock_fprog_kern::len is in units of struct sock_filter, not bytes.
Fixes: 3e859adf3643 ("compat_ioctl: unify copy-in of ppp filters")
Reported-by: syzbot+eb853b51b10f1befa0b7@...kaller.appspotmail.com
Signed-off-by: Eric Biggers <ebiggers@...gle.com>
---
drivers/net/ppp/ppp_generic.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 0cb1c2d0a8bc..3bf8a8b42983 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -564,8 +564,9 @@ static struct bpf_prog *get_filter(struct sock_fprog *uprog)
return NULL;
/* uprog->len is unsigned short, so no overflow here */
- fprog.len = uprog->len * sizeof(struct sock_filter);
- fprog.filter = memdup_user(uprog->filter, fprog.len);
+ fprog.len = uprog->len;
+ fprog.filter = memdup_user(uprog->filter,
+ uprog->len * sizeof(struct sock_filter));
if (IS_ERR(fprog.filter))
return ERR_CAST(fprog.filter);
--
2.24.0
Powered by blists - more mailing lists