From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jiri Slaby <jslaby@suse.cz>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
"David S. Miller" <davem@davemloft.net>,
linux-sctp@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH 4.8 24/35] net: sctp, forbid negative length
Date: Sun, 13 Nov 2016 11:27:38 +0000 [thread overview]
Message-ID: <20161113112421.823737999@linuxfoundation.org> (raw)
In-Reply-To: <20161113112420.863033770@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby <jslaby@suse.cz>
[ Upstream commit a4b8e71b05c27bae6bad3bdecddbc6b68a3ad8cf ]
Most of getsockopt handlers in net/sctp/socket.c check len against
sizeof some structure like:
if (len < sizeof(int))
return -EINVAL;
On the first look, the check seems to be correct. But since len is int
and sizeof returns size_t, int gets promoted to unsigned size_t too. So
the test returns false for negative lengths. Yes, (-1 < sizeof(long)) is
false.
Fix this in sctp by explicitly checking len < 0 before any getsockopt
handler is called.
Note that sctp_getsockopt_events already handled the negative case.
Since we added the < 0 check elsewhere, this one can be removed.
If not checked, this is the result:
UBSAN: Undefined behaviour in ../mm/page_alloc.c:2722:19
shift exponent 52 is too large for 32-bit type 'int'
CPU: 1 PID: 24535 Comm: syz-executor Not tainted 4.8.1-0-syzkaller #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
0000000000000000 ffff88006d99f2a8 ffffffffb2f7bdea 0000000041b58ab3
ffffffffb4363c14 ffffffffb2f7bcde ffff88006d99f2d0 ffff88006d99f270
0000000000000000 0000000000000000 0000000000000034 ffffffffb5096422
Call Trace:
[<ffffffffb3051498>] ? __ubsan_handle_shift_out_of_bounds+0x29c/0x300
...
[<ffffffffb273f0e4>] ? kmalloc_order+0x24/0x90
[<ffffffffb27416a4>] ? kmalloc_order_trace+0x24/0x220
[<ffffffffb2819a30>] ? __kmalloc+0x330/0x540
[<ffffffffc18c25f4>] ? sctp_getsockopt_local_addrs+0x174/0xca0 [sctp]
[<ffffffffc18d2bcd>] ? sctp_getsockopt+0x10d/0x1b0 [sctp]
[<ffffffffb37c1219>] ? sock_common_getsockopt+0xb9/0x150
[<ffffffffb37be2f5>] ? SyS_getsockopt+0x1a5/0x270
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-sctp@vger.kernel.org
Cc: netdev@vger.kernel.org
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/socket.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4683,7 +4683,7 @@ static int sctp_getsockopt_disable_fragm
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
- if (len <= 0)
+ if (len = 0)
return -EINVAL;
if (len > sizeof(struct sctp_event_subscribe))
len = sizeof(struct sctp_event_subscribe);
@@ -6426,6 +6426,9 @@ static int sctp_getsockopt(struct sock *
if (get_user(len, optlen))
return -EFAULT;
+ if (len < 0)
+ return -EINVAL;
+
lock_sock(sk);
switch (optname) {
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jiri Slaby <jslaby@suse.cz>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
"David S. Miller" <davem@davemloft.net>,
linux-sctp@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH 4.8 24/35] net: sctp, forbid negative length
Date: Sun, 13 Nov 2016 12:27:38 +0100 [thread overview]
Message-ID: <20161113112421.823737999@linuxfoundation.org> (raw)
In-Reply-To: <20161113112420.863033770@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby <jslaby@suse.cz>
[ Upstream commit a4b8e71b05c27bae6bad3bdecddbc6b68a3ad8cf ]
Most of getsockopt handlers in net/sctp/socket.c check len against
sizeof some structure like:
if (len < sizeof(int))
return -EINVAL;
On the first look, the check seems to be correct. But since len is int
and sizeof returns size_t, int gets promoted to unsigned size_t too. So
the test returns false for negative lengths. Yes, (-1 < sizeof(long)) is
false.
Fix this in sctp by explicitly checking len < 0 before any getsockopt
handler is called.
Note that sctp_getsockopt_events already handled the negative case.
Since we added the < 0 check elsewhere, this one can be removed.
If not checked, this is the result:
UBSAN: Undefined behaviour in ../mm/page_alloc.c:2722:19
shift exponent 52 is too large for 32-bit type 'int'
CPU: 1 PID: 24535 Comm: syz-executor Not tainted 4.8.1-0-syzkaller #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
0000000000000000 ffff88006d99f2a8 ffffffffb2f7bdea 0000000041b58ab3
ffffffffb4363c14 ffffffffb2f7bcde ffff88006d99f2d0 ffff88006d99f270
0000000000000000 0000000000000000 0000000000000034 ffffffffb5096422
Call Trace:
[<ffffffffb3051498>] ? __ubsan_handle_shift_out_of_bounds+0x29c/0x300
...
[<ffffffffb273f0e4>] ? kmalloc_order+0x24/0x90
[<ffffffffb27416a4>] ? kmalloc_order_trace+0x24/0x220
[<ffffffffb2819a30>] ? __kmalloc+0x330/0x540
[<ffffffffc18c25f4>] ? sctp_getsockopt_local_addrs+0x174/0xca0 [sctp]
[<ffffffffc18d2bcd>] ? sctp_getsockopt+0x10d/0x1b0 [sctp]
[<ffffffffb37c1219>] ? sock_common_getsockopt+0xb9/0x150
[<ffffffffb37be2f5>] ? SyS_getsockopt+0x1a5/0x270
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-sctp@vger.kernel.org
Cc: netdev@vger.kernel.org
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/socket.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4683,7 +4683,7 @@ static int sctp_getsockopt_disable_fragm
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
- if (len <= 0)
+ if (len == 0)
return -EINVAL;
if (len > sizeof(struct sctp_event_subscribe))
len = sizeof(struct sctp_event_subscribe);
@@ -6426,6 +6426,9 @@ static int sctp_getsockopt(struct sock *
if (get_user(len, optlen))
return -EFAULT;
+ if (len < 0)
+ return -EINVAL;
+
lock_sock(sk);
switch (optname) {
next prev parent reply other threads:[~2016-11-13 11:27 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20161113112745epcas3p44b79602b71457dccccc98057db31f68c@epcas3p4.samsung.com>
2016-11-13 11:27 ` [PATCH 4.8 00/35] 4.8.8-stable review Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 02/35] net: pktgen: fix pkt_size Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 03/35] net/sched: act_vlan: Push skb->data to mac_header prior calling skb_vlan_*() functions Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 04/35] net: Add netdev all_adj_list refcnt propagation to fix panic Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 05/35] packet: call fanout_release, while UNREGISTERING a netdev Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 06/35] netlink: do not enter direct reclaim from netlink_dump() Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 07/35] drivers/ptp: Fix kernel memory disclosure Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 08/35] net_sched: reorder pernet ops and act ops registrations Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 09/35] ipv6: tcp: restore IP6CB for pktoptions skbs Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 10/35] net: phy: Trigger state machine on state change and not polling Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 11/35] ip6_tunnel: fix ip6_tnl_lookup Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 12/35] ipv6: correctly add local routes when lo goes up Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 13/35] IB/ipoib: move back IB LL address into the hard header Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 14/35] net/mlx4_en: fixup xdp tx irq to match rx Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 15/35] net: pktgen: remove rcu locking in pktgen_change_name() Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 16/35] bridge: multicast: restore perm router ports on multicast enable Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 17/35] switchdev: Execute bridge ndos only for bridge ports Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 18/35] rtnetlink: Add rtnexthop offload flag to compare mask Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 19/35] net: core: Correctly iterate over lower adjacency list Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 21/35] ipv4: disable BH in set_ping_group_range() Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 22/35] ipv4: use the right lock for ping_group_range Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 23/35] net: fec: Call swap_buffer() prior to IP header alignment Greg Kroah-Hartman
2016-11-13 11:27 ` Greg Kroah-Hartman [this message]
2016-11-13 11:27 ` [PATCH 4.8 24/35] net: sctp, forbid negative length Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 25/35] sctp: fix the panic caused by route update Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 26/35] udp: fix IP_CHECKSUM handling Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 27/35] netvsc: fix incorrect receive checksum offloading Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 28/35] macsec: Fix header length if SCI is added if explicitly disabled Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 29/35] net: ipv6: Do not consider link state for nexthop validation Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 30/35] net sched filters: fix notification of filter delete with proper handle Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 31/35] sctp: validate chunk len before actually using it Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 32/35] ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in ip6_tnl_xmit() Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 33/35] packet: on direct_xmit, limit tso and csum to supported devices Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 34/35] arch/powerpc: Update parameters for csum_tcpudp_magic & csum_tcpudp_nofold Greg Kroah-Hartman
2016-11-13 11:27 ` [PATCH 4.8 35/35] usb: dwc3: gadget: properly account queued requests Greg Kroah-Hartman
2016-11-13 20:41 ` [PATCH 4.8 00/35] 4.8.8-stable review Guenter Roeck
2016-11-14 7:44 ` Greg Kroah-Hartman
[not found] ` <5828ae8b.46bb1c0a.31433.9533@mx.google.com>
2016-11-14 7:53 ` Greg Kroah-Hartman
2016-11-14 16:48 ` Shuah Khan
2016-11-14 17:18 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161113112421.823737999@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=stable@vger.kernel.org \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.