From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, "Eric Dumazet" <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.2 63/94] ipv4: fix buffer overflow in ip_options_compile()
Date: Mon, 04 Aug 2014 17:48:32 +0100 [thread overview]
Message-ID: <lsq.1407170912.370860048@decadent.org.uk> (raw)
In-Reply-To: <lsq.1407170911.107020799@decadent.org.uk>
3.2.62-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 10ec9472f05b45c94db3c854d22581a20b97db41 ]
There is a benign buffer overflow in ip_options_compile spotted by
AddressSanitizer[1] :
Its benign because we always can access one extra byte in skb->head
(because header is followed by struct skb_shared_info), and in this case
this byte is not even used.
[28504.910798] ==================================================================
[28504.912046] AddressSanitizer: heap-buffer-overflow in ip_options_compile
[28504.913170] Read of size 1 by thread T15843:
[28504.914026] [<ffffffff81802f91>] ip_options_compile+0x121/0x9c0
[28504.915394] [<ffffffff81804a0d>] ip_options_get_from_user+0xad/0x120
[28504.916843] [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
[28504.918175] [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
[28504.919490] [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
[28504.920835] [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
[28504.922208] [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
[28504.923459] [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
[28504.924722]
[28504.925106] Allocated by thread T15843:
[28504.925815] [<ffffffff81804995>] ip_options_get_from_user+0x35/0x120
[28504.926884] [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
[28504.927975] [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
[28504.929175] [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
[28504.930400] [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
[28504.931677] [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
[28504.932851] [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
[28504.934018]
[28504.934377] The buggy address ffff880026382828 is located 0 bytes to the right
[28504.934377] of 40-byte region [ffff880026382800, ffff880026382828)
[28504.937144]
[28504.937474] Memory state around the buggy address:
[28504.938430] ffff880026382300: ........ rrrrrrrr rrrrrrrr rrrrrrrr
[28504.939884] ffff880026382400: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.941294] ffff880026382500: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
[28504.942504] ffff880026382600: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.943483] ffff880026382700: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.944511] >ffff880026382800: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
[28504.945573] ^
[28504.946277] ffff880026382900: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.094949] ffff880026382a00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.096114] ffff880026382b00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.097116] ffff880026382c00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.098472] ffff880026382d00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.099804] Legend:
[28505.100269] f - 8 freed bytes
[28505.100884] r - 8 redzone bytes
[28505.101649] . - 8 allocated bytes
[28505.102406] x=1..7 - x allocated bytes + (8-x) redzone bytes
[28505.103637] ==================================================================
[1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/ip_options.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index 40eb4fc..08623e2 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -277,6 +277,10 @@ int ip_options_compile(struct net *net,
optptr++;
continue;
}
+ if (unlikely(l < 2)) {
+ pp_ptr = optptr;
+ goto error;
+ }
optlen = optptr[1];
if (optlen<2 || optlen>l) {
pp_ptr = optptr;
next prev parent reply other threads:[~2014-08-04 16:48 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-04 16:48 [PATCH 3.2 00/94] 3.2.62-rc1 review Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 17/94] tools: ffs-test: fix header values endianess Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 03/94] ARM: OMAP2+: Fix parser-bug in platform muxing code Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 12/94] ibmvscsi: Abort init sequence during error recovery Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 16/94] nfsd: fix rare symlink decoding bug Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 02/94] Revert "net: ip, ipv6: handle gso skbs in forwarding path" Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 22/94] iwlwifi: dvm: don't enable CTS to self Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 13/94] ibmvscsi: Add memory barriers for send / receive Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 21/94] xen/manage: fix potential deadlock when resuming the console Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 23/94] drm/vmwgfx: Fix incorrect write to read-only register v2: Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 05/94] KVM: x86: preserve the high 32-bits of the PAT register Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 04/94] KVM: x86: Increase the number of fixed MTRR regs to 10 Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 01/94] Revert "net: ipv4: ip_forward: fix inverted local_df test" Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 19/94] perf/x86/intel: ignore CondChgd bit to avoid false NMI handling Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 14/94] cpuset,mempolicy: fix sleeping function called from invalid context Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 15/94] mwifiex: fix Tx timeout issue Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 10/94] xhci: clear root port wake on bits if controller isn't wake-up capable Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 18/94] usb-storage/SCSI: Add broken_fua blacklist flag Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 11/94] xhci: Fix runtime suspended xhci from blocking system suspend Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 20/94] md: flush writes before starting a recovery Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 26/94] ext4: clarify error count warning messages Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 08/94] usb: option: add/modify Olivetti Olicard modems Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 09/94] xhci: correct burst count field for isoc transfers on 1.0 xhci hosts Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 25/94] hwmon: (adm1029) Ensure the fan_div cache is updated in set_fan_div Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 24/94] hwmon: (amc6821) Fix permissions for temp2_input Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 07/94] USB: ftdi_sio: fix null deref at port probe Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 06/94] usb: gadget: f_fs: fix NULL pointer dereference when there are no strings Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 51/94] locking/mutex: Disable optimistic spinning on some architectures Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 30/94] ACPI / EC: Add more debug info and trivial code cleanup Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 68/94] xfs: fix allocbt cursor leak in xfs_alloc_ag_vextent_near Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 37/94] ACPI / battery: Retry to get battery information if failed during probing Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 39/94] fuse: timeout comparison fix Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 46/94] drm/radeon/dp: return -EIO for flags not zero case Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 42/94] alarmtimer: Fix bug where relative alarm timers were treated as absolute Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 72/94] shmem: fix splicing from a hole while it's punched Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 85/94] mm: hugetlb: fix copy_hugetlb_page_range() Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 56/94] 8021q: fix a potential memory leak Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 75/94] Score: The commit is for compiling successfully. The modifications include: 1. Kconfig of Score: we don't support ioremap 2. Missed headfile including 3. There are some errors in other people's commit not checked by us, we fix it now 3.1 arch/score/kernel/entry.S: wrong instructions 3.2 arch/score/kernel/process.c : just some typos Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 67/94] netfilter: ipt_ULOG: fix info leaks Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 52/94] hwmon: (adt7470) Fix writes to temperature limit registers Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 41/94] hwmon: (emc2103) Clamp limits instead of bailing out Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 88/94] ceph: fix overflow check in build_snap_context() Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 44/94] igb: do a reset on SR-IOV re-init if device is down Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 28/94] USB: cp210x: add support for Corsair usb dongle Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 66/94] s390/ptrace: fix PSW mask check Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 70/94] shmem: fix faulting into a hole while it's punched Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 61/94] dns_resolver: assure that dns_query() result is null-terminated Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 29/94] usb: option: Add ID for Telewell TW-LTE 4G v2 Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 31/94] ACPI / EC: Ensure lock is acquired before accessing ec struct members Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 76/94] score: Add missing #include <linux/export.h> Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 40/94] fuse: handle large user and group ID Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 50/94] sched: Fix possible divide by zero in avg_atom() calculation Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 58/94] appletalk: Fix socket referencing in skb Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 36/94] ACPI / EC: Fix race condition in ec_transaction_completed() Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 84/94] crypto: testmgr - update LZO compression test vectors Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 47/94] net/l2tp: don't fall back on UDP [get|set]sockopt Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 92/94] libata: introduce ata_host->n_tags to avoid oops on SAS controllers Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 80/94] applicom: dereferencing NULL on error path Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 59/94] net: sctp: fix information leaks in ulpevent layer Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 77/94] alpha: add io{read,write}{16,32}be functions Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 38/94] hwmon: (adm1031) Fix writes to limit registers Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 27/94] ext4: disable synchronous transaction batching if max_batch_time==0 Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 82/94] x86, ioremap: Speed up check for RAM pages Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 43/94] USB: ftdi_sio: Add extra PID Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 49/94] include/linux/math64.h: add div64_ul() Ben Hutchings
2014-08-04 16:48 ` Ben Hutchings [this message]
2014-08-04 16:48 ` [PATCH 3.2 79/94] x86-32, espfix: Remove filter for espfix32 due to race Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 86/94] ARM: 7668/1: fix memset-related crashes caused by recent GCC (4.7.2) optimizations Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 62/94] dns_resolver: Null-terminate the right string Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 90/94] mm: kmemleak: avoid false negatives on vmalloc'ed objects Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 93/94] x86_32, entry: Store badsys error code in %eax Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 57/94] igmp: fix the problem when mc leave group Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 94/94] iommu/vt-d: Disable translation if already enabled Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 48/94] ring-buffer: Fix polling on trace_pipe Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 78/94] score: normalize global variables exported by vmlinux.lds Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 83/94] ipvs: stop tot_stats estimator only under CONFIG_SYSCTL Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 34/94] ACPI / EC: Add asynchronous command byte write support Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 89/94] introduce SIZE_MAX Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 71/94] shmem: fix faulting into a hole, not taking i_mutex Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 60/94] sunvnet: clean up objects created in vnet_new() on vnet_exit() Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 55/94] tcp: fix tcp_match_skb_to_sack() for unaligned SACK at end of an skb Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 64/94] rtnetlink: fix userspace API breakage for iproute2 < v3.9.0 Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 74/94] unicore32: select generic atomic64_t support Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 54/94] usb: Check if port status is equal to RxDetect Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 69/94] xfs: really fix the cursor leak in xfs_alloc_ag_vextent_near Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 81/94] sym53c8xx_2: Set DID_REQUEUE return code when aborting squeue Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 73/94] unicore32: add ioremap_nocache definition Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 45/94] dm io: fix a race condition in the wake up code for sync_io Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 65/94] nohz: Fix another inconsistency between CONFIG_NO_HZ=n and nohz=off Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 53/94] drm/radeon: avoid leaking edid data Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 32/94] ACPI / EC: Avoid race condition related to advance_transaction() Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 33/94] ACPI / EC: Don't count a SCI interrupt as a false one Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 35/94] ACPI / EC: Remove duplicated ec_wait_ibf0() waiter Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 91/94] libata: support the ata host which implements a queue depth less than 32 Ben Hutchings
2014-08-04 16:48 ` [PATCH 3.2 87/94] ARM: 7670/1: fix the memset fix Ben Hutchings
2014-08-04 17:21 ` [PATCH 3.2 00/94] 3.2.62-rc1 review Ben Hutchings
2014-08-04 17:55 ` Guenter Roeck
2014-08-04 19:49 ` Ben Hutchings
2014-08-04 20:45 ` Guenter Roeck
2014-09-11 1:28 ` Ben Hutchings
2014-08-06 13:25 ` Satoru Takeuchi
2014-08-06 17:06 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1407170912.370860048@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox