From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Tamir Duberstein <tamird@gmail.com>,
Willem de Bruijn <willemb@google.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>,
davem@davemloft.net, yoshfuji@linux-ipv6.org, dsahern@kernel.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.15 15/16] ipv6: raw: check passed optlen before reading
Date: Mon, 3 Jan 2022 12:28:48 -0500 [thread overview]
Message-ID: <20220103172849.1612731-15-sashal@kernel.org> (raw)
In-Reply-To: <20220103172849.1612731-1-sashal@kernel.org>
From: Tamir Duberstein <tamird@gmail.com>
[ Upstream commit fb7bc9204095090731430c8921f9e629740c110a ]
Add a check that the user-provided option is at least as long as the
number of bytes we intend to read. Before this patch we would blindly
read sizeof(int) bytes even in cases where the user passed
optlen<sizeof(int), which would potentially read garbage or fault.
Discovered by new tests in https://github.com/google/gvisor/pull/6957 .
The original get_user call predates history in the git repo.
Signed-off-by: Tamir Duberstein <tamird@gmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20211229200947.2862255-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/raw.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 60f1e4f5be5aa..c51d5ce3711c2 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -1020,6 +1020,9 @@ static int do_rawv6_setsockopt(struct sock *sk, int level, int optname,
struct raw6_sock *rp = raw6_sk(sk);
int val;
+ if (optlen < sizeof(val))
+ return -EINVAL;
+
if (copy_from_sockptr(&val, optval, sizeof(val)))
return -EFAULT;
--
2.34.1
prev parent reply other threads:[~2022-01-03 17:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220103172849.1612731-1-sashal@kernel.org>
2022-01-03 17:28 ` [PATCH AUTOSEL 5.15 06/16] ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate Sasha Levin
2022-01-03 17:28 ` [PATCH AUTOSEL 5.15 07/16] net: udp: fix alignment problem in udp4_seq_show() Sasha Levin
2022-01-03 17:28 ` [PATCH AUTOSEL 5.15 08/16] atlantic: Fix buff_ring OOB in aq_ring_rx_clean Sasha Levin
2022-01-03 17:28 ` [PATCH AUTOSEL 5.15 12/16] mISDN: change function names to avoid conflicts Sasha Levin
2022-01-03 17:28 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220103172849.1612731-15-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tamird@gmail.com \
--cc=willemb@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).