From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754259Ab2IQHru (ORCPT ); Mon, 17 Sep 2012 03:47:50 -0400 Received: from a.mx.secunet.com ([195.81.216.161]:36412 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753889Ab2IQHrs (ORCPT ); Mon, 17 Sep 2012 03:47:48 -0400 X-Greylist: delayed 1862 seconds by postgrey-1.27 at vger.kernel.org; Mon, 17 Sep 2012 03:47:47 EDT Date: Mon, 17 Sep 2012 09:16:42 +0200 From: Steffen Klassert To: Mathias Krause Cc: "David S. Miller" , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH] xfrm_user: return error pointer instead of NULL Message-ID: <20120917071642.GC13023@secunet.com> References: <1347572486-1628-1-git-send-email-minipli@googlemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1347572486-1628-1-git-send-email-minipli@googlemail.com> User-Agent: Mutt/1.5.20 (2009-06-14) X-OriginalArrivalTime: 17 Sep 2012 07:16:41.0407 (UTC) FILETIME=[62A3ECF0:01CD94A4] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 13, 2012 at 11:41:26PM +0200, Mathias Krause wrote: > When dump_one_state() returns an error, e.g. because of a too small > buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL > instead of an error pointer. But its callers expect an error pointer > and therefore continue to operate on a NULL skbuff. > > This could lead to a privilege escalation (execution of user code in > kernel context) if the attacker has CAP_NET_ADMIN and is able to map > address 0. Or it simply crashes with a NULL pointer dereference. > > Cc: stable@vger.kernel.org > Signed-off-by: Mathias Krause Acked-by: Steffen Klassert