* Patch "net: check both type and procotol for tcp sockets" has been added to the 4.1-stable tree
@ 2015-12-31 3:53 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2015-12-31 3:53 UTC (permalink / raw)
To: xiyou.wangcong, davem, dvyukov, eric.dumazet, gregkh, willemb,
willemdebruijn.kernel
Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
net: check both type and procotol for tcp sockets
to the 4.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
net-check-both-type-and-procotol-for-tcp-sockets.patch
and it can be found in the queue-4.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From foo@baz Wed Dec 30 19:52:45 PST 2015
From: WANG Cong <xiyou.wangcong@gmail.com>
Date: Wed, 16 Dec 2015 23:39:04 -0800
Subject: net: check both type and procotol for tcp sockets
From: WANG Cong <xiyou.wangcong@gmail.com>
[ Upstream commit ac5cc977991d2dce85fc734a6c71ddb33f6fe3c1 ]
Dmitry reported the following out-of-bound access:
Call Trace:
[<ffffffff816cec2e>] __asan_report_load4_noabort+0x3e/0x40
mm/kasan/report.c:294
[<ffffffff84affb14>] sock_setsockopt+0x1284/0x13d0 net/core/sock.c:880
[< inline >] SYSC_setsockopt net/socket.c:1746
[<ffffffff84aed7ee>] SyS_setsockopt+0x1fe/0x240 net/socket.c:1729
[<ffffffff85c18c76>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
This is because we mistake a raw socket as a tcp socket.
We should check both sk->sk_type and sk->sk_protocol to ensure
it is a tcp socket.
Willem points out __skb_complete_tx_timestamp() needs to fix as well.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/skbuff.c | 3 ++-
net/core/sock.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3661,7 +3661,8 @@ static void __skb_complete_tx_timestamp(
serr->ee.ee_info = tstype;
if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
serr->ee.ee_data = skb_shinfo(skb)->tskey;
- if (sk->sk_protocol == IPPROTO_TCP)
+ if (sk->sk_protocol == IPPROTO_TCP &&
+ sk->sk_type == SOCK_STREAM)
serr->ee.ee_data -= sk->sk_tskey;
}
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -859,7 +859,8 @@ set_rcvbuf:
if (val & SOF_TIMESTAMPING_OPT_ID &&
!(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) {
- if (sk->sk_protocol == IPPROTO_TCP) {
+ if (sk->sk_protocol == IPPROTO_TCP &&
+ sk->sk_type == SOCK_STREAM) {
if (sk->sk_state != TCP_ESTABLISHED) {
ret = -EINVAL;
break;
Patches currently in stable-queue which might be from xiyou.wangcong@gmail.com are
queue-4.1/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch
queue-4.1/net-check-both-type-and-procotol-for-tcp-sockets.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-12-31 3:53 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-31 3:53 Patch "net: check both type and procotol for tcp sockets" has been added to the 4.1-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).