From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:39976 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751450AbdJEJDJ (ORCPT
        <rfc822;stable@vger.kernel.org>); Thu, 5 Oct 2017 05:03:09 -0400
Subject: Patch "net/packet: check length in getsockopt() called with PACKET_HDRLEN" has been added to the 3.18-stable tree
To: glider@google.com, alexander.levin@verizon.com,
        davem@davemloft.net, gregkh@linuxfoundation.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Thu, 05 Oct 2017 11:02:38 +0200
Message-ID: <15071941585429@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    net/packet: check length in getsockopt() called with PACKET_HDRLEN

to the 3.18-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-packet-check-length-in-getsockopt-called-with-packet_hdrlen.patch
and it can be found in the queue-3.18 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From foo@baz Thu Oct  5 10:58:04 CEST 2017
From: Alexander Potapenko <glider@google.com>
Date: Tue, 25 Apr 2017 18:51:46 +0200
Subject: net/packet: check length in getsockopt() called with PACKET_HDRLEN

From: Alexander Potapenko <glider@google.com>


[ Upstream commit fd2c83b35752f0a8236b976978ad4658df14a59f ]

In the case getsockopt() is called with PACKET_HDRLEN and optlen < 4
|val| remains uninitialized and the syscall may behave differently
depending on its value, and even copy garbage to userspace on certain
architectures. To fix this we now return -EINVAL if optlen is too small.

This bug has been detected with KMSAN.

Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/packet/af_packet.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3482,6 +3482,8 @@ static int packet_getsockopt(struct sock
 	case PACKET_HDRLEN:
 		if (len > sizeof(int))
 			len = sizeof(int);
+		if (len < sizeof(int))
+			return -EINVAL;
 		if (copy_from_user(&val, optval, len))
 			return -EFAULT;
 		switch (val) {


Patches currently in stable-queue which might be from glider@google.com are

queue-3.18/net-packet-check-length-in-getsockopt-called-with-packet_hdrlen.patch