From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mateusz Jurczyk <mjurczyk@google.com>,
Kees Cook <keescook@chromium.org>,
Samuel Ortiz <sameo@linux.intel.com>
Subject: [PATCH 3.18 10/60] nfc: Fix the sockaddr length sanitization in llcp_sock_connect
Date: Tue, 25 Jul 2017 12:16:01 -0700 [thread overview]
Message-ID: <20170725191615.584695421@linuxfoundation.org> (raw)
In-Reply-To: <20170725191614.043749784@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mateusz Jurczyk <mjurczyk@google.com>
commit 608c4adfcabab220142ee335a2a003ccd1c0b25b upstream.
Fix the sockaddr length verification in the connect() handler of NFC/LLCP
sockets, to compare against the size of the actual structure expected on
input (sockaddr_nfc_llcp) instead of its shorter version (sockaddr_nfc).
Both structures are defined in include/uapi/linux/nfc.h. The fields
specific to the _llcp extended struct are as follows:
276 __u8 dsap; /* Destination SAP, if known */
277 __u8 ssap; /* Source SAP to be bound to */
278 char service_name[NFC_LLCP_MAX_SERVICE_NAME]; /* Service name URI */;
279 size_t service_name_len;
If the caller doesn't provide a sufficiently long sockaddr buffer, these
fields remain uninitialized (and they currently originate from the stack
frame of the top-level sys_connect handler). They are then copied by
llcp_sock_connect() into internal storage (nfc_llcp_sock structure), and
could be subsequently read back through the user-mode getsockname()
function (handled by llcp_sock_getname()). This would result in the
disclosure of up to ~70 uninitialized bytes from the kernel stack to
user-mode clients capable of creating AFC_NFC sockets.
Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/llcp_sock.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -655,8 +655,7 @@ static int llcp_sock_connect(struct sock
pr_debug("sock %p sk %p flags 0x%x\n", sock, sk, flags);
- if (!addr || len < sizeof(struct sockaddr_nfc) ||
- addr->sa_family != AF_NFC)
+ if (!addr || len < sizeof(*addr) || addr->sa_family != AF_NFC)
return -EINVAL;
if (addr->service_name_len == 0 && addr->dsap == 0)
next prev parent reply other threads:[~2017-07-25 21:38 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-25 19:15 [PATCH 3.18 00/60] 3.18.63-stable review Greg Kroah-Hartman
2017-07-25 19:15 ` [PATCH 3.18 01/60] disable new gcc-7.1.1 warnings for now Greg Kroah-Hartman
2017-07-25 19:15 ` [PATCH 3.18 03/60] x86/rtc: Remove duplicate const specifier Greg Kroah-Hartman
2017-07-25 19:15 ` [PATCH 3.18 04/60] [media] ir-core: fix gcc-7 warning on bool arithmetic Greg Kroah-Hartman
2017-07-25 19:15 ` [PATCH 3.18 05/60] CIFS: Fix handle_cancelled_mid callback initialization Greg Kroah-Hartman
2017-07-25 19:15 ` [PATCH 3.18 06/60] ath9k: fix tx99 use after free Greg Kroah-Hartman
2017-07-25 19:15 ` [PATCH 3.18 07/60] ath9k: fix tx99 bus error Greg Kroah-Hartman
2017-07-25 19:15 ` [PATCH 3.18 08/60] NFC: fix broken device allocation Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 09/60] nfc: Ensure presence of required attributes in the activate_target handler Greg Kroah-Hartman
2017-07-25 19:16 ` Greg Kroah-Hartman [this message]
2017-07-25 19:16 ` [PATCH 3.18 11/60] include/stddef.h: Move offsetofend() from vfio.h to a generic kernel header Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 12/60] stddef.h: move offsetofend inside #ifndef/#endif guard, neaten Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 13/60] NFC: Add sockaddr length checks before accessing sa_family in bind handlers Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 14/60] Bluetooth: use constant time memory comparison for secret values Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 15/60] ASoC: compress: Derive substream from stream based on direction Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 16/60] PM / Domains: Fix unsafe iteration over modified list of device links Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 17/60] PM / Domains: Fix unsafe iteration over modified list of domain providers Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 18/60] scsi: ses: do not add a device to an enclosure if enclosure_add_links() fails Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 19/60] powerpc/64: Fix atomic64_inc_not_zero() to return an int Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 20/60] powerpc: Fix emulation of mcrf in emulate_step() Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 21/60] powerpc: Fix emulation of mfocrf " Greg Kroah-Hartman
2017-07-25 19:16 ` Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 22/60] powerpc/asm: Mark cr0 as clobbered in mftb() Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 23/60] af_key: Fix sadb_x_ipsecrequest parsing Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 24/60] PCI/PM: Restore the status of PCI devices across hibernation Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 25/60] xhci: fix 20000ms port resume timeout Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 26/60] xhci: Fix NULL pointer dereference when cleaning up streams for removed host Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 27/60] usb: storage: return on error to avoid a null pointer dereference Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 28/60] USB: cdc-acm: add device-id for quirky printer Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 29/60] usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 30/60] md: dont use flush_signals in userspace processes Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 31/60] Raid5 should update rdev->sectors after reshape Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 32/60] s390/syscalls: Fix out of bounds arguments access Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 34/60] f2fs: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 35/60] vfio: Fix group release deadlock Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 36/60] vfio: New external user group/file match Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 37/60] MIPS: Fix mips_atomic_set() retry condition Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 38/60] MIPS: Fix mips_atomic_set() with EVA Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 39/60] MIPS: Negate error syscall return in trace Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 40/60] x86/acpi: Prevent out of bound access caused by broken ACPI tables Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 41/60] MIPS: Save static registers before sysmips Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 42/60] MIPS: Actually decode JALX in `__compute_return_epc_for_insn Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 43/60] MIPS: Fix unaligned PC interpretation in `compute_return_epc Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 44/60] MIPS: math-emu: Prevent wrong ISA mode instruction emulation Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 45/60] Input: i8042 - fix crash at boot time Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 46/60] NFS: only invalidate dentrys that are clearly invalid Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 47/60] udf: Fix deadlock between writeback and udf_setsize() Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 48/60] target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 50/60] Revert "perf/core: Drop kernel samples even though :u is specified" Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 51/60] staging: rtl8188eu: add TL-WN722N v2 support Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 52/60] drm/mst: Fix error handling during MST sideband message reception Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 53/60] drm/mst: Avoid dereferencing a NULL mstb in drm_dp_mst_handle_up_req() Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 54/60] drm/mst: Avoid processing partially received up/down message transactions Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 55/60] KVM: PPC: Book3S HV: Context-switch EBB registers properly Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 56/60] of: device: Export of_device_{get_modalias, uvent_modalias} to modules Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 57/60] spmi: Include OF based modalias in device uevent Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 58/60] tracing: Fix kmemleak in instance_rmdir Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 59/60] alarmtimer: dont rate limit one-shot timers Greg Kroah-Hartman
2017-07-25 19:16 ` [PATCH 3.18 60/60] MIPS: Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn Greg Kroah-Hartman
2017-07-26 3:10 ` [PATCH 3.18 00/60] 3.18.63-stable review Guenter Roeck
2017-07-26 14:23 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170725191615.584695421@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mjurczyk@google.com \
--cc=sameo@linux.intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.