From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Qidan He <i@flanker017.me>,
Kees Cook <keescook@chromium.org>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.8 30/45] net: ping: check minimum size on ICMP header length
Date: Fri, 9 Dec 2016 17:20:59 +0100 [thread overview]
Message-ID: <20161209161756.198078206@linuxfoundation.org> (raw)
In-Reply-To: <20161209161754.912203877@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 0eab121ef8750a5c8637d51534d5e9143fb0633f ]
Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there
was no check that the iovec contained enough bytes for an ICMP header,
and the read loop would walk across neighboring stack contents. Since the
iov_iter conversion, bad arguments are noticed, but the returned error is
EFAULT. Returning EINVAL is a clearer error and also solves the problem
prior to v3.19.
This was found using trinity with KASAN on v3.18:
BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
Read of size 8 by task trinity-c2/9623
page:ffffffbe034b9a08 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x0()
page dumped because: kasan: bad access detected
CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G BU 3.18.0-dirty #15
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
[<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
[< inline >] print_address_description mm/kasan/report.c:147
[< inline >] kasan_report_error mm/kasan/report.c:236
[<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
[< inline >] check_memory_region mm/kasan/kasan.c:264
[<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
[<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
[< inline >] memcpy_from_msg include/linux/skbuff.h:2667
[<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
[<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
[<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
[< inline >] __sock_sendmsg_nosec net/socket.c:624
[< inline >] __sock_sendmsg net/socket.c:632
[<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
[< inline >] SYSC_sendto net/socket.c:1797
[<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
CVE-2016-8399
Reported-by: Qidan He <i@flanker017.me>
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ping.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -662,6 +662,10 @@ int ping_common_sendmsg(int family, stru
if (len > 0xFFFF)
return -EMSGSIZE;
+ /* Must have at least a full ICMP header. */
+ if (len < icmph_len)
+ return -EINVAL;
+
/*
* Check the flags.
*/
next prev parent reply other threads:[~2016-12-09 16:22 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20161209162112epcas5p48e365650e03ecaae64d811516a0f837d@epcas5p4.samsung.com>
2016-12-09 16:20 ` [PATCH 4.8 00/45] 4.8.14-stable review Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 01/45] gro_cells: mark napi struct as not busy poll candidates Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 02/45] virtio-net: add a missing synchronize_net() Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 03/45] net: dsa: b53: Fix VLAN usage and how we treat CPU port Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 04/45] net: check dead netns for peernet2id_alloc() Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 05/45] ip6_tunnel: disable caching when the traffic class is inherited Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 06/45] net: sky2: Fix shutdown crash Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 07/45] af_unix: conditionally use freezable blocking calls in read Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 08/45] rtnetlink: fix FDB size computation Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 09/45] l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 10/45] rtnl: fix the loop index update error in rtnl_dump_ifinfo() Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 11/45] ipv6: bump genid when the IFA_F_TENTATIVE flag is clear Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 12/45] udplite: call proper backlog handlers Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 13/45] net: dsa: bcm_sf2: Ensure we re-negotiate EEE during after link change Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 14/45] net, sched: respect rcu grace period on cls destruction Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 15/45] net: dsa: fix unbalanced dsa_switch_tree reference counting Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 16/45] net/sched: pedit: make sure that offset is valid Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 17/45] netlink: Call cb->done from a worker thread Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 18/45] netlink: Do not schedule work from sk_destruct Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 19/45] net: macb: fix the RX queue reset in macb_rx() Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 20/45] net/dccp: fix use-after-free in dccp_invalid_packet Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 21/45] GSO: Reload iph after pskb_may_pull Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 22/45] packet: fix race condition in packet_set_ring Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 23/45] ip6_offload: check segs for NULL in ipv6_gso_segment Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 25/45] net: bcmgenet: Utilize correct struct device for all DMA operations Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 26/45] sh_eth: remove unchecked interrupts for RZ/A1 Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 28/45] geneve: avoid use-after-free of skb->data Greg Kroah-Hartman
2016-12-09 16:20 ` [PATCH 4.8 29/45] net: avoid signed overflows for SO_{SND|RCV}BUFFORCE Greg Kroah-Hartman
2016-12-09 16:20 ` Greg Kroah-Hartman [this message]
2016-12-09 16:21 ` [PATCH 4.8 31/45] ipv4: Restore fib_trie_flush_external function and fix call ordering Greg Kroah-Hartman
2016-12-09 16:21 ` [PATCH 4.8 32/45] ipv4: Fix memory leak in exception case for splitting tries Greg Kroah-Hartman
2016-12-09 16:21 ` [PATCH 4.8 33/45] ipv4: Drop leaf from suffix pull/push functions Greg Kroah-Hartman
2016-12-09 16:21 ` [PATCH 4.8 34/45] ipv4: Drop suffix update from resize code Greg Kroah-Hartman
2016-12-09 16:21 ` [PATCH 4.8 35/45] sparc64: Fix find_node warning if numa node cannot be found Greg Kroah-Hartman
2016-12-09 16:21 ` [PATCH 4.8 36/45] sparc64: fix compile warning section mismatch in find_node() Greg Kroah-Hartman
2016-12-09 16:21 ` [PATCH 4.8 37/45] sparc32: Fix inverted invalid_frame_pointer checks on sigreturns Greg Kroah-Hartman
2016-12-09 16:21 ` [PATCH 4.8 38/45] Dont feed anything but regular iovecs to blk_rq_map_user_iov Greg Kroah-Hartman
2016-12-09 16:21 ` [PATCH 4.8 39/45] constify iov_iter_count() and iter_is_iovec() Greg Kroah-Hartman
2016-12-09 16:21 ` [PATCH 4.8 40/45] ipv6: Set skb->protocol properly for local output Greg Kroah-Hartman
2016-12-09 16:21 ` [PATCH 4.8 41/45] ipv4: " Greg Kroah-Hartman
2016-12-09 16:21 ` [PATCH 4.8 42/45] Revert: "ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in ip6_tnl_xmit()" Greg Kroah-Hartman
2016-12-09 16:21 ` [PATCH 4.8 44/45] esp4: Fix integrity verification when ESN are used Greg Kroah-Hartman
2016-12-09 16:21 ` [PATCH 4.8 45/45] esp6: " Greg Kroah-Hartman
2016-12-09 18:24 ` [PATCH 4.8 00/45] 4.8.14-stable review Shuah Khan
2016-12-10 12:17 ` Greg Kroah-Hartman
2016-12-09 22:36 ` Guenter Roeck
2016-12-10 12:17 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161209161756.198078206@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=i@flanker017.me \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).