From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Paul Moore <pmoore@redhat.com>,
Lin Ming <mlin@ss.pku.edu.cn>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 05/37] cipso: dont follow a NULL pointer when setsockopt() is called
Date: Fri, 17 Aug 2012 04:02:48 +0100 [thread overview]
Message-ID: <20120817030244.580052425@decadent.org.uk> (raw)
In-Reply-To: <20120817030243.807605523@decadent.org.uk>
3.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moore <pmoore@redhat.com>
[ Upstream commit 89d7ae34cdda4195809a5a987f697a517a2a3177 ]
As reported by Alan Cox, and verified by Lin Ming, when a user
attempts to add a CIPSO option to a socket using the CIPSO_V4_TAG_LOCAL
tag the kernel dies a terrible death when it attempts to follow a NULL
pointer (the skb argument to cipso_v4_validate() is NULL when called via
the setsockopt() syscall).
This patch fixes this by first checking to ensure that the skb is
non-NULL before using it to find the incoming network interface. In
the unlikely case where the skb is NULL and the user attempts to add
a CIPSO option with the _TAG_LOCAL tag we return an error as this is
not something we want to allow.
A simple reproducer, kindly supplied by Lin Ming, although you must
have the CIPSO DOI #3 configure on the system first or you will be
caught early in cipso_v4_validate():
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/ip.h>
#include <linux/in.h>
#include <string.h>
struct local_tag {
char type;
char length;
char info[4];
};
struct cipso {
char type;
char length;
char doi[4];
struct local_tag local;
};
int main(int argc, char **argv)
{
int sockfd;
struct cipso cipso = {
.type = IPOPT_CIPSO,
.length = sizeof(struct cipso),
.local = {
.type = 128,
.length = sizeof(struct local_tag),
},
};
memset(cipso.doi, 0, 4);
cipso.doi[3] = 3;
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
#define SOL_IP 0
setsockopt(sockfd, SOL_IP, IP_OPTIONS,
&cipso, sizeof(struct cipso));
return 0;
}
CC: Lin Ming <mlin@ss.pku.edu.cn>
Reported-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/cipso_ipv4.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 86f3b88..afaa735 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1725,8 +1725,10 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option)
case CIPSO_V4_TAG_LOCAL:
/* This is a non-standard tag that we only allow for
* local connections, so if the incoming interface is
- * not the loopback device drop the packet. */
- if (!(skb->dev->flags & IFF_LOOPBACK)) {
+ * not the loopback device drop the packet. Further,
+ * there is no legitimate reason for setting this from
+ * userspace so reject it if skb is NULL. */
+ if (skb == NULL || !(skb->dev->flags & IFF_LOOPBACK)) {
err_offset = opt_iter;
goto validate_return_locked;
}
next prev parent reply other threads:[~2012-08-17 3:33 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-17 3:02 [ 00/37] 3.2.28-stable review Ben Hutchings
2012-08-17 3:02 ` [ 01/37] bnx2: Fix bug in bnx2_free_tx_skbs() Ben Hutchings
2012-08-17 3:02 ` [ 02/37] sch_sfb: Fix missing NULL check Ben Hutchings
2012-08-17 3:02 ` [ 03/37] sctp: Fix list corruption resulting from freeing an association on a list Ben Hutchings
2012-08-17 3:02 ` [ 04/37] caif: Fix access to freed pernet memory Ben Hutchings
2012-08-17 3:02 ` Ben Hutchings [this message]
2012-08-17 3:02 ` [ 06/37] caif: fix NULL pointer check Ben Hutchings
2012-08-17 3:02 ` [ 07/37] wanmain: comparing array with NULL Ben Hutchings
2012-08-17 3:02 ` [ 08/37] tcp: Add TCP_USER_TIMEOUT negative value check Ben Hutchings
2012-08-17 3:02 ` [ 09/37] USB: kaweth.c: use GFP_ATOMIC under spin_lock Ben Hutchings
2012-08-17 3:02 ` [ 10/37] net: fix rtnetlink IFF_PROMISC and IFF_ALLMULTI handling Ben Hutchings
2012-08-17 3:02 ` [ 11/37] tcp: perform DMA to userspace only if there is a task waiting for it Ben Hutchings
2012-08-17 3:02 ` [ 12/37] net/tun: fix ioctl() based info leaks Ben Hutchings
2012-08-17 3:02 ` [ 13/37] e1000: add dropped DMA receive enable back in for WoL Ben Hutchings
2012-08-17 3:02 ` [ 14/37] rtlwifi: rtl8192cu: Change buffer allocation for synchronous reads Ben Hutchings
2012-08-17 3:02 ` [ 15/37] hfsplus: fix overflow in sector calculations in hfsplus_submit_bio Ben Hutchings
2012-08-17 3:02 ` [ 16/37] drm/i915: fixup seqno allocation logic for lazy_request Ben Hutchings
2012-08-17 3:03 ` [ 17/37] KVM: VMX: Advertise CPU_BASED_RDPMC_EXITING for nested guests Ben Hutchings
2012-08-17 3:03 ` [ 18/37] mac80211: cancel mesh path timer Ben Hutchings
2012-08-17 3:03 ` [ 19/37] ath9k: Add PID/VID support for AR1111 Ben Hutchings
2012-08-17 3:03 ` [ 20/37] ARM: mxs: Remove MMAP_MIN_ADDR setting from mxs_defconfig Ben Hutchings
2012-08-17 3:03 ` [ 21/37] ALSA: hda - add dock support for Thinkpad T430s Ben Hutchings
2012-08-17 3:03 ` [ 22/37] cfg80211: process pending events when unregistering net device Ben Hutchings
2012-08-17 3:03 ` [ 23/37] rt61pci: fix NULL pointer dereference in config_lna_gain Ben Hutchings
2012-08-17 3:03 ` [ 24/37] iwlwifi: disable greenfield transmissions as a workaround Ben Hutchings
2012-08-17 3:03 ` [ 25/37] ALSA: hda - add dock support for Thinkpad X230 Ben Hutchings
2012-08-17 3:03 ` [ 26/37] e1000e: NIC goes up and immediately goes down Ben Hutchings
2012-08-17 3:03 ` [ 27/37] ALSA: hda - remove quirk for Dell Vostro 1015 Ben Hutchings
2012-08-17 3:03 ` [ 28/37] ALSA: hda - Fix double quirk for Quanta FL1 / Lenovo Ideapad Ben Hutchings
2012-08-17 3:03 ` [ 29/37] ARM: pxa: remove irq_to_gpio from ezx-pcap driver Ben Hutchings
2012-08-17 3:03 ` [ 30/37] Input: eeti_ts: pass gpio value instead of IRQ Ben Hutchings
2012-08-17 3:03 ` [ 31/37] tun: dont zeroize sock->file on detach Ben Hutchings
2012-08-19 17:13 ` Ben Hutchings
2012-08-17 3:03 ` [ 32/37] drm/i915: correctly order the ring init sequence Ben Hutchings
2012-08-17 23:29 ` Herton Ronaldo Krzesinski
2012-08-18 10:04 ` Daniel Vetter
2012-08-19 14:54 ` Ben Hutchings
2012-08-19 19:00 ` Herton Ronaldo Krzesinski
2012-08-17 3:03 ` [ 33/37] s390/compat: fix compat wrappers for process_vm system calls Ben Hutchings
2012-08-17 3:03 ` [ 34/37] s390/compat: fix mmap compat " Ben Hutchings
2012-08-17 3:03 ` [ 35/37] drm/radeon: fix bank tiling parameters on evergreen Ben Hutchings
2012-08-17 3:03 ` [ 36/37] drm/radeon: fix bank tiling parameters on cayman Ben Hutchings
2012-08-17 3:03 ` [ 37/37] drm/radeon: do not reenable crtc after moving vram start address Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120817030244.580052425@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mlin@ss.pku.edu.cn \
--cc=pmoore@redhat.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.