* [PATCH] crypto_user: Fix out-of-bounds read
@ 2014-04-22 19:30 Andy Lutomirski
2014-04-23 11:40 ` Dan Carpenter
0 siblings, 1 reply; 4+ messages in thread
From: Andy Lutomirski @ 2014-04-22 19:30 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, linux-kernel
Cc: security, ebiederm, Andy Lutomirski, stable
This is unlikely to be exploitable for anything except an OOPS.
Cc: stable@vger.kernel.org
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
---
Notes:
This is entirely untested, but it looks obviously correct to me.
crypto/crypto_user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
index 1512e41..bc7c4b5 100644
--- a/crypto/crypto_user.c
+++ b/crypto/crypto_user.c
@@ -460,7 +460,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
int type, err;
type = nlh->nlmsg_type;
- if (type > CRYPTO_MSG_MAX)
+ if (type < CRYPTO_MSG_BASE || type > CRYPTO_MSG_MAX)
return -EINVAL;
type -= CRYPTO_MSG_BASE;
--
1.9.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] crypto_user: Fix out-of-bounds read
2014-04-22 19:30 [PATCH] crypto_user: Fix out-of-bounds read Andy Lutomirski
@ 2014-04-23 11:40 ` Dan Carpenter
2014-04-23 15:48 ` Andy Lutomirski
0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2014-04-23 11:40 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Herbert Xu, David S. Miller, linux-crypto, linux-kernel, security,
ebiederm, stable
On Tue, Apr 22, 2014 at 12:30:28PM -0700, Andy Lutomirski wrote:
> This is unlikely to be exploitable for anything except an OOPS.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Andy Lutomirski <luto@amacapital.net>
> ---
>
> Notes:
> This is entirely untested, but it looks obviously correct to me.
>
> crypto/crypto_user.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
> index 1512e41..bc7c4b5 100644
> --- a/crypto/crypto_user.c
> +++ b/crypto/crypto_user.c
> @@ -460,7 +460,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> int type, err;
>
> type = nlh->nlmsg_type;
> - if (type > CRYPTO_MSG_MAX)
> + if (type < CRYPTO_MSG_BASE || type > CRYPTO_MSG_MAX)
> return -EINVAL;
Adding a check here is obviously harmless but I think this is only
called from netlink_rcv_skb() which already checks:
if (nlh->nlmsg_type < NLMSG_MIN_TYPE)
goto ack;
NLMSG_MIN_TYPE is 0x10 as well, so I don't think we can hit your
condition.
Your patch freaked me out a little because this is one of the bugs that
I should have caught throught static analysis.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] crypto_user: Fix out-of-bounds read
2014-04-23 11:40 ` Dan Carpenter
@ 2014-04-23 15:48 ` Andy Lutomirski
2014-04-23 19:23 ` Dan Carpenter
0 siblings, 1 reply; 4+ messages in thread
From: Andy Lutomirski @ 2014-04-23 15:48 UTC (permalink / raw)
To: Dan Carpenter
Cc: linux-crypto, security@kernel.org, Herbert Xu, Eric W. Biederman,
David S. Miller, stable, linux-kernel@vger.kernel.org
On Apr 23, 2014 4:40 AM, "Dan Carpenter" <dan.carpenter@oracle.com> wrote:
>
> On Tue, Apr 22, 2014 at 12:30:28PM -0700, Andy Lutomirski wrote:
> > This is unlikely to be exploitable for anything except an OOPS.
> >
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Andy Lutomirski <luto@amacapital.net>
> > ---
> >
> > Notes:
> > This is entirely untested, but it looks obviously correct to me.
> >
> > crypto/crypto_user.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
> > index 1512e41..bc7c4b5 100644
> > --- a/crypto/crypto_user.c
> > +++ b/crypto/crypto_user.c
> > @@ -460,7 +460,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> > int type, err;
> >
> > type = nlh->nlmsg_type;
> > - if (type > CRYPTO_MSG_MAX)
> > + if (type < CRYPTO_MSG_BASE || type > CRYPTO_MSG_MAX)
> > return -EINVAL;
>
> Adding a check here is obviously harmless but I think this is only
> called from netlink_rcv_skb() which already checks:
>
> if (nlh->nlmsg_type < NLMSG_MIN_TYPE)
> goto ack;
>
> NLMSG_MIN_TYPE is 0x10 as well, so I don't think we can hit your
> condition.
>
> Your patch freaked me out a little because this is one of the bugs that
> I should have caught throught static analysis.
BUILD_BUG_ON(NLMSG_MIN_TYPE != CRYPTO_MSG_BASE) might be a better
thing to add, then.
I don't feel so bad for missing this.
>
> regards,
> dan carpenter
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] crypto_user: Fix out-of-bounds read
2014-04-23 15:48 ` Andy Lutomirski
@ 2014-04-23 19:23 ` Dan Carpenter
0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2014-04-23 19:23 UTC (permalink / raw)
To: Andy Lutomirski
Cc: linux-crypto, security@kernel.org, Herbert Xu, Eric W. Biederman,
David S. Miller, stable, linux-kernel@vger.kernel.org
On Wed, Apr 23, 2014 at 08:48:34AM -0700, Andy Lutomirski wrote:
> BUILD_BUG_ON(NLMSG_MIN_TYPE != CRYPTO_MSG_BASE) might be a better
> thing to add, then.
I don't have a strong opinion.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-04-23 19:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-22 19:30 [PATCH] crypto_user: Fix out-of-bounds read Andy Lutomirski
2014-04-23 11:40 ` Dan Carpenter
2014-04-23 15:48 ` Andy Lutomirski
2014-04-23 19:23 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).