From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] tcp: don't read out-of-bounds opsize Date: Mon, 23 Apr 2018 09:52:49 -0400 (EDT) Message-ID: <20180423.095249.1008800065389287269.davem@davemloft.net> References: <20180420135730.44921-1-jannh@google.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org To: jannh@google.com Return-path: In-Reply-To: <20180420135730.44921-1-jannh@google.com> Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org From: Jann Horn Date: Fri, 20 Apr 2018 15:57:30 +0200 > The old code reads the "opsize" variable from out-of-bounds memory (first > byte behind the segment) if a broken TCP segment ends directly after an > opcode that is neither EOL nor NOP. > > The result of the read isn't used for anything, so the worst thing that > could theoretically happen is a pagefault; and since the physmap is usually > mostly contiguous, even that seems pretty unlikely. > > The following C reproducer triggers the uninitialized read - however, you > can't actually see anything happen unless you put something like a > pr_warn() in tcp_parse_md5sig_option() to print the opsize. ... > Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.") > Signed-off-by: Jann Horn Applied and queued up for -stable, thank you.