From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 048/105] sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
Date: Tue, 10 Oct 2017 21:50:19 +0200 [thread overview]
Message-ID: <20171010192541.322230998@linuxfoundation.org> (raw)
In-Reply-To: <20171010192533.717049376@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit fa5f7b51fc3080c2b195fa87c7eca7c05e56f673 ]
This code causes a static checker warning because Smatch doesn't trust
anything that comes from skb->data. I've reviewed this code and I do
think skb->data can be controlled by the user here.
The sctp_event_subscribe struct has 13 __u8 fields and we want to see
if ours is non-zero. sn_type can be any value in the 0-USHRT_MAX range.
We're subtracting SCTP_SN_TYPE_BASE which is 1 << 15 so we could read
either before the start of the struct or after the end.
This is a very old bug and it's surprising that it would go undetected
for so long but my theory is that it just doesn't have a big impact so
it would be hard to notice.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/sctp/ulpevent.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/include/net/sctp/ulpevent.h
+++ b/include/net/sctp/ulpevent.h
@@ -141,8 +141,12 @@ __u16 sctp_ulpevent_get_notification_typ
static inline int sctp_ulpevent_type_enabled(__u16 sn_type,
struct sctp_event_subscribe *mask)
{
+ int offset = sn_type - SCTP_SN_TYPE_BASE;
char *amask = (char *) mask;
- return amask[sn_type - SCTP_SN_TYPE_BASE];
+
+ if (offset >= sizeof(struct sctp_event_subscribe))
+ return 0;
+ return amask[offset];
}
/* Given an event subscription, is this event enabled? */
next prev parent reply other threads:[~2017-10-10 19:50 UTC|newest]
Thread overview: 121+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-10 19:49 [PATCH 4.9 000/105] 4.9.55-stable review Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 001/105] USB: gadgetfs: Fix crash caused by inadequate synchronization Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 002/105] USB: gadgetfs: fix copy_to_user while holding spinlock Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 003/105] usb: gadget: udc: atmel: set vbus irqflags explicitly Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 004/105] usb: gadget: udc: renesas_usb3: fix for no-data control transfer Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 005/105] usb: gadget: udc: renesas_usb3: fix Pn_RAMMAP.Pn_MPKT value Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 006/105] usb: gadget: udc: renesas_usb3: Fix return value of usb3_write_pipe() Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 007/105] usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 008/105] usb-storage: fix bogus hardware error messages for ATA pass-thru devices Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 009/105] usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 010/105] usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 011/105] ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 012/105] usb: pci-quirks.c: Corrected timeout values used in handshake Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 014/105] USB: dummy-hcd: fix connection failures (wrong speed) Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 015/105] USB: dummy-hcd: fix infinite-loop resubmission bug Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 016/105] USB: dummy-hcd: Fix erroneous synchronization change Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 017/105] USB: devio: Dont corrupt user memory Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 018/105] usb: gadget: mass_storage: set msg_registered after msg registered Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 019/105] USB: g_mass_storage: Fix deadlock when driver is unbound Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 020/105] USB: uas: fix bug in handling of alternate settings Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 021/105] USB: core: harden cdc_parse_cdc_header Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 022/105] usb: Increase quirk delay for USB devices Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 023/105] USB: fix out-of-bounds in usb_set_configuration Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 024/105] xhci: fix finding correct bus_state structure for USB 3.1 hosts Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 025/105] xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 026/105] xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 027/105] Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts" Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 028/105] iio: adc: twl4030: Fix an error handling path in twl4030_madc_probe() Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 029/105] iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of twl4030_madc_probe() Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 030/105] iio: ad_sigma_delta: Implement a dedicated reset function Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 031/105] staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 032/105] iio: core: Return error for failed read_reg Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 033/105] IIO: BME280: Updates to Humidity readings need ctrl_reg write! Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 034/105] iio: ad7793: Fix the serial interface reset Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 035/105] iio: adc: mcp320x: Fix readout of negative voltages Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 036/105] iio: adc: mcp320x: Fix oops on module unload Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 037/105] uwb: properly check kthread_run return value Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 038/105] uwb: ensure that endpoint is interrupt Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 039/105] staging: vchiq_2835_arm: Fix NULL ptr dereference in free_pagelist Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 040/105] mm, oom_reaper: skip mm structs with mmu notifiers Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 041/105] lib/ratelimit.c: use deferred printk() version Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 042/105] lsm: fix smack_inode_removexattr and xattr_getsecurity memleak Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 043/105] ALSA: compress: Remove unused variable Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 044/105] Revert "ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members" Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 045/105] ALSA: usx2y: Suppress kernel warning at page allocation failures Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 046/105] mlxsw: spectrum: Prevent mirred-related crash on removal Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 047/105] net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker Greg Kroah-Hartman
2017-10-10 19:50 ` Greg Kroah-Hartman [this message]
2017-10-10 19:50 ` [PATCH 4.9 049/105] tcp: update skb->skb_mstamp more carefully Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 050/105] bpf/verifier: reject BPF_ALU64|BPF_END Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 051/105] tcp: fix data delivery rate Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 052/105] udpv6: Fix the checksum computation when HW checksum does not apply Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 053/105] ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 054/105] net: phy: Fix mask value write on gmii2rgmii converter speed register Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 055/105] ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 056/105] net/sched: cls_matchall: fix crash when used with classful qdisc Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 057/105] tcp: fastopen: fix on syn-data transmit failure Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 058/105] net: emac: Fix napi poll list corruption Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 059/105] packet: hold bind lock when rebinding to fanout hook Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 060/105] bpf: one perf event close wont free bpf program attached by another perf event Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 061/105] isdn/i4l: fetch the ppp_write buffer in one shot Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 062/105] net_sched: always reset qdisc backlog in qdisc_reset() Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 063/105] net: qcom/emac: specify the correct size when mapping a DMA buffer Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 064/105] vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 065/105] l2tp: Avoid schedule while atomic in exit_net Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 066/105] l2tp: fix race condition in l2tp_tunnel_delete Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 067/105] tun: bail out from tun_get_user() if the skb is empty Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 068/105] net: dsa: Fix network device registration order Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 069/105] packet: in packet_do_bind, test fanout with bind_lock held Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 070/105] packet: only test po->has_vnet_hdr once in packet_snd Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 071/105] net: Set sk_prot_creator when cloning sockets to the right proto Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 072/105] netlink: do not proceed if dumps start() errs Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 073/105] ip6_gre: ip6gre_tap device should keep dst Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 074/105] ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 075/105] tipc: use only positive error codes in messages Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 076/105] net: rtnetlink: fix info leak in RTM_GETSTATS call Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 077/105] socket, bpf: fix possible use after free Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 078/105] powerpc/64s: Use emergency stack for kernel TM Bad Thing program checks Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 079/105] powerpc/tm: Fix illegal TM state in signal handler Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 080/105] percpu: make this_cpu_generic_read() atomic w.r.t. interrupts Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 081/105] driver core: platform: Dont read past the end of "driver_override" buffer Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 082/105] Drivers: hv: fcopy: restore correct transfer length Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 083/105] stm class: Fix a use-after-free Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 084/105] ftrace: Fix kmemleak in unregister_ftrace_graph Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 085/105] HID: i2c-hid: allocate hid buffers for real worst case Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 086/105] HID: wacom: leds: Dont try to control the EKRs read-only LEDs Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 087/105] HID: wacom: Always increment hdev refcount within wacom_get_hdev_data Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 088/105] HID: wacom: bits shifted too much for 9th and 10th buttons Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 089/105] rocker: fix rocker_tlv_put_* functions for KASAN Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 090/105] netlink: fix nla_put_{u8,u16,u32} " Greg Kroah-Hartman
2017-10-11 9:54 ` Arnd Bergmann
2017-10-10 19:51 ` [PATCH 4.9 091/105] iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 092/105] iwlwifi: add workaround to disable wide channels in 5GHz Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 093/105] scsi: sd: Do not override max_sectors_kb sysfs setting Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 094/105] brcmfmac: add length check in brcmf_cfg80211_escan_handler() Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 095/105] brcmfmac: setup passive scan if requested by user-space Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 097/105] nvme-pci: Use PCI bus address for data/queues in CMB Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 098/105] mmc: core: add driver strength selection when selecting hs400es Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 099/105] sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 100/105] vfs: deny copy_file_range() for non regular files Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 101/105] ext4: fix data corruption for mmap writes Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 102/105] ext4: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 103/105] ext4: dont allow encrypted operations without keys Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 104/105] f2fs: " Greg Kroah-Hartman
2017-10-11 0:58 ` [PATCH 4.9 000/105] 4.9.55-stable review Shuah Khan
2017-10-11 12:56 ` Greg Kroah-Hartman
2017-10-11 22:54 ` Shuah Khan
2017-10-12 10:39 ` Greg Kroah-Hartman
2017-10-12 11:54 ` Greg Kroah-Hartman
2017-10-12 12:13 ` Greg Kroah-Hartman
2017-10-12 13:45 ` Shuah Khan
2017-10-12 14:10 ` Xin Long
2017-10-12 15:18 ` Andreas Radke
2017-10-12 15:25 ` Xin Long
2017-10-12 15:35 ` Shuah Khan
2017-10-12 16:54 ` Shuah Khan
2017-10-12 17:08 ` Ben Hutchings
2017-10-12 17:16 ` David Miller
2017-10-12 19:18 ` Greg KH
2017-10-11 13:19 ` Guenter Roeck
2017-10-11 20:25 ` Tom Gall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171010192541.322230998@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).