Re: [PATCH]: SCTP length validation.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vlad Yasevich <vladislav.yasevich@hp.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, linux-sctp@vger.kernel.org
Subject: Re: [PATCH]: SCTP length validation.
Date: Mon, 23 Jun 2008 15:59:43 +0000	[thread overview]
Message-ID: <485FC86F.4090808@hp.com> (raw)
In-Reply-To: <20080622.123232.71141502.davem@davemloft.net>

David Miller wrote:
> From: Vlad Yasevich <vladislav.yasevich@hp.com>
> Date: Sat, 21 Jun 2008 11:55:19 -0400
> 
>> The same vulnerability also exists in sctp_getsockopt_peer_addrs_old().
>> It's a bit more difficult to trigger since there is a dependency on
>> the peer being multihomed as well, but it's still possible to cause the
>> overwrite.
> 
> I can't see how that's possible.  This case looks harmless to
> me.
> 
> The kernel side accesses are perfectly protected.  The kernel
> will only access the actual address list stored via:
> 
> 	list_for_each_entry(from, &asoc->peer.transport_addr_list,
> 				transports) {
>  ...
> 		cnt ++;
> 		if (cnt >= getaddrs.addr_num) break;
> 	}
> 	getaddrs.addr_num = cnt;
> 
> Copies are only made to userspace, and the given ->addr_num only
> serves as an early break-out from that loop.  I mean, take a look,
> those lines in the above are the only aaccesses made to the user's
> provided addr_num value.
> 
> There is no possibility to use strange ->addr_num values
> in order to read or write kernel memory outside of the
> intended bounds.
> 
> I don't even see any value to adding new checks here.
> 

You are right.  I didn't look far enough.  Since there is no kmalloc(),
the overflow of kernel memory is not possible, and copy_to_user should
take care of any overflows of the user memory.

-vlad

WARNING: multiple messages have this Message-ID (diff)

From: Vlad Yasevich <vladislav.yasevich@hp.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, linux-sctp@vger.kernel.org
Subject: Re: [PATCH]: SCTP length validation.
Date: Mon, 23 Jun 2008 11:59:43 -0400	[thread overview]
Message-ID: <485FC86F.4090808@hp.com> (raw)
In-Reply-To: <20080622.123232.71141502.davem@davemloft.net>

David Miller wrote:
> From: Vlad Yasevich <vladislav.yasevich@hp.com>
> Date: Sat, 21 Jun 2008 11:55:19 -0400
> 
>> The same vulnerability also exists in sctp_getsockopt_peer_addrs_old().
>> It's a bit more difficult to trigger since there is a dependency on
>> the peer being multihomed as well, but it's still possible to cause the
>> overwrite.
> 
> I can't see how that's possible.  This case looks harmless to
> me.
> 
> The kernel side accesses are perfectly protected.  The kernel
> will only access the actual address list stored via:
> 
> 	list_for_each_entry(from, &asoc->peer.transport_addr_list,
> 				transports) {
>  ...
> 		cnt ++;
> 		if (cnt >= getaddrs.addr_num) break;
> 	}
> 	getaddrs.addr_num = cnt;
> 
> Copies are only made to userspace, and the given ->addr_num only
> serves as an early break-out from that loop.  I mean, take a look,
> those lines in the above are the only aaccesses made to the user's
> provided addr_num value.
> 
> There is no possibility to use strange ->addr_num values
> in order to read or write kernel memory outside of the
> intended bounds.
> 
> I don't even see any value to adding new checks here.
> 

You are right.  I didn't look far enough.  Since there is no kmalloc(),
the overflow of kernel memory is not possible, and copy_to_user should
take care of any overflows of the user memory.

-vlad

next prev parent reply	other threads:[~2008-06-23 15:59 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-06-21  5:12 [PATCH]: SCTP length validation David Miller
2008-06-21  5:12 ` David Miller
2008-06-21 15:55 ` Vlad Yasevich
2008-06-21 15:55   ` Vlad Yasevich
2008-06-22 19:32   ` David Miller
2008-06-22 19:32     ` David Miller
2008-06-23 15:59     ` Vlad Yasevich [this message]
2008-06-23 15:59       ` Vlad Yasevich
2008-06-23 21:42       ` David Miller
2008-06-23 21:42         ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=485FC86F.4090808@hp.com \
    --to=vladislav.yasevich@hp.com \
    --cc=davem@davemloft.net \
    --cc=linux-sctp@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.