Patchwork [1/1,LUCID,NATTY,ONEIRIC,PRECISE,CVE-2012-2136] net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()

login
register
mail settings
Submitter Brad Figg
Date July 11, 2012, 7:42 p.m.
Message ID <1342035733-23595-3-git-send-email-brad.figg@canonical.com>
Download mbox | patch
Permalink /patch/170506/
State New
Headers show

Comments

Brad Figg - July 11, 2012, 7:42 p.m.
From: Jason Wang <jasowang@redhat.com>

CVE-2012-2136

BugLink: http://bugs.launchpad.net/bugs/1006622

We need to validate the number of pages consumed by data_len, otherwise frags
array could be overflowed by userspace. So this patch validate data_len and
return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc)
Signed-off-by: Brad Figg <brad.figg@canonical.com>
---
 net/core/sock.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Patch

diff --git a/net/core/sock.c b/net/core/sock.c
index b4943d0..9867b03 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1400,6 +1400,11 @@  struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
 	gfp_t gfp_mask;
 	long timeo;
 	int err;
+	int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+
+	err = -EMSGSIZE;
+	if (npages > MAX_SKB_FRAGS)
+		goto failure;
 
 	gfp_mask = sk->sk_allocation;
 	if (gfp_mask & __GFP_WAIT)
@@ -1418,14 +1423,12 @@  struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
 		if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
 			skb = alloc_skb(header_len, gfp_mask);
 			if (skb) {
-				int npages;
 				int i;
 
 				/* No pages, we're done... */
 				if (!data_len)
 					break;
 
-				npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
 				skb->truesize += data_len;
 				skb_shinfo(skb)->nr_frags = npages;
 				for (i = 0; i < npages; i++) {