[B.A.T.M.A.N.] bat_socket_read missing checks

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paul <pawlkt@gmail.com>
To: b.a.t.m.a.n@lists.open-mesh.org
Subject: [B.A.T.M.A.N.] bat_socket_read missing checks
Date: Sat, 10 Dec 2011 15:01:55 +0100	[thread overview]
Message-ID: <4EE36653.4000504@gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 153 bytes --]

Writing a icmp_packet_rr and then reading icmp_packet can lead to kernel
memory corruption, if __user *buf is just below TASK_SIZE.

-- 
Regards,
Paul



[-- Attachment #2: patch.txt --]
[-- Type: text/plain, Size: 622 bytes --]

diff --git a/icmp_socket.c b/icmp_socket.c
index 5bc8649..f6a6536 100644
--- a/icmp_socket.c
+++ b/icmp_socket.c
@@ -136,7 +136,9 @@ static ssize_t bat_socket_read(struct file *file, char __user *buf,
 
        spin_unlock_bh(&socket_client->lock);
 
-       error = __copy_to_user(buf, &socket_packet->icmp_packet,
+       //queue can contain packets larger than icmp_packet (like icmp_packet_rr),
+       //so we can't rely just on the access_ok above
+       error = copy_to_user(buf, &socket_packet->icmp_packet,
                               socket_packet->icmp_len);
 
        packet_len = socket_packet->icmp_len;

next             reply	other threads:[~2011-12-10 14:01 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-12-10 14:01 Paul [this message]
2011-12-10 14:28 ` [B.A.T.M.A.N.] [PATCHv2 1/3] batman-adv: bat_socket_read missing checks Sven Eckelmann
2011-12-10 14:28   ` [B.A.T.M.A.N.] [PATCHv2 2/3] batman-adv: Directly check read of icmp packet in copy_from_user Sven Eckelmann
2011-12-12 10:45     ` Marek Lindner
2011-12-10 14:28   ` [B.A.T.M.A.N.] [PATCHv3 3/3] batman-adv: Only write requested number of byte to user buffer Sven Eckelmann
2011-12-12 10:48     ` Marek Lindner
2011-12-10 15:36   ` [B.A.T.M.A.N.] [PATCHv3 1/2] " Sven Eckelmann
2011-12-12 10:44   ` [B.A.T.M.A.N.] [PATCHv2 1/3] batman-adv: bat_socket_read missing checks Marek Lindner

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5bc8649 dfblob:f6a6536 )
 OR (
bs:"[B.A.T.M.A.N.] bat_socket_read missing checks" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4EE36653.4000504@gmail.com \
    --to=pawlkt@gmail.com \
    --cc=b.a.t.m.a.n@lists.open-mesh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.