From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.14 64/87] ipv4: fix buffer overflow in ip_options_compile()
Date: Sat, 26 Jul 2014 12:02:38 -0700 [thread overview]
Message-ID: <20140726190216.701880803@linuxfoundation.org> (raw)
In-Reply-To: <20140726190214.530473925@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 10ec9472f05b45c94db3c854d22581a20b97db41 ]
There is a benign buffer overflow in ip_options_compile spotted by
AddressSanitizer[1] :
Its benign because we always can access one extra byte in skb->head
(because header is followed by struct skb_shared_info), and in this case
this byte is not even used.
[28504.910798] ==================================================================
[28504.912046] AddressSanitizer: heap-buffer-overflow in ip_options_compile
[28504.913170] Read of size 1 by thread T15843:
[28504.914026] [<ffffffff81802f91>] ip_options_compile+0x121/0x9c0
[28504.915394] [<ffffffff81804a0d>] ip_options_get_from_user+0xad/0x120
[28504.916843] [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
[28504.918175] [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
[28504.919490] [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
[28504.920835] [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
[28504.922208] [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
[28504.923459] [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
[28504.924722]
[28504.925106] Allocated by thread T15843:
[28504.925815] [<ffffffff81804995>] ip_options_get_from_user+0x35/0x120
[28504.926884] [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
[28504.927975] [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
[28504.929175] [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
[28504.930400] [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
[28504.931677] [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
[28504.932851] [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
[28504.934018]
[28504.934377] The buggy address ffff880026382828 is located 0 bytes to the right
[28504.934377] of 40-byte region [ffff880026382800, ffff880026382828)
[28504.937144]
[28504.937474] Memory state around the buggy address:
[28504.938430] ffff880026382300: ........ rrrrrrrr rrrrrrrr rrrrrrrr
[28504.939884] ffff880026382400: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.941294] ffff880026382500: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
[28504.942504] ffff880026382600: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.943483] ffff880026382700: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.944511] >ffff880026382800: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
[28504.945573] ^
[28504.946277] ffff880026382900: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.094949] ffff880026382a00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.096114] ffff880026382b00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.097116] ffff880026382c00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.098472] ffff880026382d00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.099804] Legend:
[28505.100269] f - 8 freed bytes
[28505.100884] r - 8 redzone bytes
[28505.101649] . - 8 allocated bytes
[28505.102406] x=1..7 - x allocated bytes + (8-x) redzone bytes
[28505.103637] ==================================================================
[1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ip_options.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -288,6 +288,10 @@ int ip_options_compile(struct net *net,
optptr++;
continue;
}
+ if (unlikely(l < 2)) {
+ pp_ptr = optptr;
+ goto error;
+ }
optlen = optptr[1];
if (optlen < 2 || optlen > l) {
pp_ptr = optptr;
next prev parent reply other threads:[~2014-07-26 19:51 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-26 19:01 [PATCH 3.14 00/87] 3.14.14-stable review Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 01/87] usb: Check if port status is equal to RxDetect Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 02/87] usb: chipidea: udc: Disable auto ZLP generation on ep0 Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 03/87] media: gspca_pac7302: Add new usb-id for Genius i-Look 317 Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 04/87] ALSA: hda - Fix broken PM due to incomplete i915 initialization Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 05/87] ALSA: hda - initialize audio InfoFrame to be all zero Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 06/87] Drivers: hv: util: Fix a bug in the KVP code Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 07/87] Bluetooth: Ignore H5 non-link packets in non-active state Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 08/87] fuse: timeout comparison fix Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 09/87] fuse: handle large user and group ID Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 10/87] fuse: ignore entry-timeout on LOOKUP_REVAL Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 11/87] iio:core: Handle error when mask type is not separate Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 12/87] tracing: instance_rmdir() leaks ftrace_event_file->filter Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 13/87] tracing: Fix graph tracer with stack tracer on other archs Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 14/87] tracing: Add ftrace_trace_stack into __trace_puts/__trace_bputs Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 15/87] tracing: Add TRACE_ITER_PRINTK flag check in __trace_puts/__trace_bputs Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 16/87] xen/balloon: set ballooned out pages as invalid in p2m Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 17/87] hwmon: (da9055) Dont use dash in the name attribute Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 18/87] hwmon: (da9052) " Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 19/87] hwmon: (adt7470) Fix writes to temperature limit registers Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 20/87] igb: Workaround for i210 Errata 25: Slow System Clock Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 21/87] igb: do a reset on SR-IOV re-init if device is down Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 22/87] quota: missing lock in dqcache_shrink_scan() Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 23/87] iwlwifi: update the 7265 series HW IDs Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 24/87] iwlwifi: dvm: dont enable CTS to self Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.14 25/87] shmem: fix faulting into a hole while its punched Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 26/87] shmem: fix faulting into a hole, not taking i_mutex Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 27/87] shmem: fix splicing from a hole while its punched Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 28/87] e1000e: Fix SHRA register access for 82579 Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 29/87] ip_tunnel: fix ip_tunnel_lookup Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 30/87] slip: Fix deadlock in write_wakeup Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 31/87] slcan: Port write_wakeup deadlock fix from slip Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 32/87] net: sctp: propagate sysctl errors from proc_do* properly Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 33/87] tcp: fix tcp_match_skb_to_sack() for unaligned SACK at end of an skb Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 34/87] net: sctp: check proc_dointvec result in proc_sctp_do_auth Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 35/87] 8021q: fix a potential memory leak Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 37/87] net: fix UDP tunnel GSO of frag_list GRO packets Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 38/87] ipv4: fix dst race in sk_dst_get() Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 39/87] ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 40/87] net: fix sparse warning in sk_dst_set() Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 41/87] vlan: free percpu stats in device destructor Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 42/87] bnx2x: fix possible panic under memory stress Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 43/87] tcp: Fix divide by zero when pushing during tcp-repair Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 44/87] ipv4: icmp: Fix pMTU handling for rare case Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 47/87] net: Fix NETDEV_CHANGE notifier usage causing spurious arp flush Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 48/87] igmp: fix the problem when mc leave group Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 49/87] tcp: fix false undo corner cases Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 50/87] appletalk: Fix socket referencing in skb Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 51/87] net: mvneta: fix operation in 10 Mbit/s mode Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 52/87] net: mvneta: Fix big endian issue in mvneta_txq_desc_csum() Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 53/87] netlink: Fix handling of error from netlink_dump() Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 54/87] be2net: set EQ DB clear-intr bit in be_open() Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 55/87] tipc: clear next-pointer of message fragments before reassembly Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 56/87] net: sctp: fix information leaks in ulpevent layer Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 57/87] net: pppoe: use correct channel MTU when using Multilink PPP Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 58/87] bonding: fix ad_select module param check Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 59/87] net-gre-gro: Fix a bug that breaks the forwarding path Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 60/87] sunvnet: clean up objects created in vnet_new() on vnet_exit() Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 63/87] dns_resolver: Null-terminate the right string Greg Kroah-Hartman
2014-07-26 19:02 ` Greg Kroah-Hartman [this message]
2014-07-26 19:02 ` [PATCH 3.14 65/87] perf: Do not allow optimized switch for non-cloned events Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 67/87] mwifiex: fix Tx timeout issue Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 68/87] ring-buffer: Fix polling on trace_pipe Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 69/87] irqchip: gic: Add support for cortex a7 compatible string Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 70/87] irqchip: gic: Add binding probe for ARM GIC400 Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 71/87] irqchip: gic: Fix core ID calculation when topology is read from DT Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 72/87] drm/radeon: set default bl level to something reasonable Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 73/87] drm/qxl: return IRQ_NONE if it was not our irq Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 74/87] drm/radeon: avoid leaking edid data Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 75/87] alarmtimer: Fix bug where relative alarm timers were treated as absolute Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 76/87] x86, tsc: Fix cpufreq lockup Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 77/87] mtd: devices: elm: fix elm_context_save() and elm_context_restore() functions Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 78/87] dm thin metadata: do not allow the data block size to change Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 79/87] dm cache " Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 80/87] PM / sleep: Fix request_firmware() error at resume Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 81/87] locking/mutex: Disable optimistic spinning on some architectures Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 82/87] sched: Fix possible divide by zero in avg_atom() calculation Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 83/87] aio: protect reqs_available updates from changes in interrupt handlers Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 84/87] ARM: dts: imx: Add alias for ethernet controller Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.14 85/87] iwlwifi: mvm: disable CTS to Self Greg Kroah-Hartman
2014-07-26 19:03 ` [PATCH 3.14 86/87] Dont trigger congestion wait on dirty-but-not-writeout pages Greg Kroah-Hartman
2014-07-26 19:03 ` [PATCH 3.14 87/87] ARC: Implement ptrace(PTRACE_GET_THREAD_AREA) Greg Kroah-Hartman
2014-07-27 15:00 ` [PATCH 3.14 00/87] 3.14.14-stable review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140726190216.701880803@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox