lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20200724125206.GC3399@localhost.localdomain>
Date:   Fri, 24 Jul 2020 09:52:06 -0300
From:   Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To:     Christoph Hellwig <hch@....de>
Cc:     nhorman@...driver.com, linux-sctp@...r.kernel.org,
        netdev@...r.kernel.org,
        syzbot+0e4699d000d8b874d8dc@...kaller.appspotmail.com
Subject: Re: [PATCH v2 net-next] sctp: fix slab-out-of-bounds in
 SCTP_DELAYED_SACK processing

On Fri, Jul 24, 2020 at 08:48:55AM +0200, Christoph Hellwig wrote:
> This sockopt accepts two kinds of parameters, using struct
> sctp_sack_info and struct sctp_assoc_value. The mentioned commit didn't
> notice an implicit cast from the smaller (latter) struct to the bigger
> one (former) when copying the data from the user space, which now leads
> to an attempt to write beyond the buffer (because it assumes the storing
> buffer is bigger than the parameter itself).
> 
> Fix it by allocating a sctp_sack_info on stack and filling it out based
> on the small struct for the compat case.
> 
> Changelog stole from an earlier patch from Marcelo Ricardo Leitner.
> 
> Fixes: ebb25defdc17 ("sctp: pass a kernel pointer to sctp_setsockopt_delayed_ack")
> Reported-by: syzbot+0e4699d000d8b874d8dc@...kaller.appspotmail.com
> Signed-off-by: Christoph Hellwig <hch@....de>

Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>

Thanks Christoph.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ