From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mathias Krause , Eric Dumazet , "David S. Miller" Subject: [ 135/150] sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Date: Tue, 26 Feb 2013 15:56:32 -0800 Message-Id: <20130226235538.312022308@linuxfoundation.org> In-Reply-To: <20130226235523.930663721@linuxfoundation.org> References: <20130226235523.930663721@linuxfoundation.org> Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.8-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mathias Krause [ Upstream commit 6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0 ] Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX -- the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation. Signed-off-by: Mathias Krause Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/core/sock_diag.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/core/sock_diag.c +++ b/net/core/sock_diag.c @@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk if (nlmsg_len(nlh) < sizeof(*req)) return -EINVAL; + if (req->sdiag_family >= AF_MAX) + return -EINVAL; + hndl = sock_diag_lock_handler(req->sdiag_family); if (hndl == NULL) err = -ENOENT;