From patchwork Sat Feb 23 11:13:47 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mathias Krause X-Patchwork-Id: 222711 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id CA7EE2C02AC for ; Sat, 23 Feb 2013 22:14:38 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757811Ab3BWLOQ (ORCPT ); Sat, 23 Feb 2013 06:14:16 -0500 Received: from mail-bk0-f53.google.com ([209.85.214.53]:46309 "EHLO mail-bk0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757044Ab3BWLOM (ORCPT ); Sat, 23 Feb 2013 06:14:12 -0500 Received: by mail-bk0-f53.google.com with SMTP id j10so635828bkw.40 for ; Sat, 23 Feb 2013 03:14:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to :references; bh=NM4oEi0qkLdUhxSK1IKpg60DjwOeNtHa0EKsIVngex0=; b=xdMKHhwMk8BGqDXVGVKf/KcWjSwJajtfpzPDCVugS7vLJh2HtrJnhKiBOUta3XNtTK ibjB4FQuAenC9ZjXfuEPdo4ct1CIQC2xN2sW/VmeqhYip/xDJ/csVRnX/BxNYWDTFkHo Uva0peiyrsvR1W0oTeqNLQ1fYIm4f1UwYHzhouschB9mlYHfrCDQFuI7TDfOTUNN1lmY D5T4vV1aWKsxHx1OYFSRS3aUo3l0Tyzx0zeSPJH+aL3mrhoBDc84RtjsmRafY7RiEXi8 ropiUO1Q9ATcLZd1/2+L/ausYzkP7NiU16SdbkQWuZkP1J8nBK7n5pahlYnDcktklyGM od5Q== X-Received: by 10.204.149.196 with SMTP id u4mr2435753bkv.23.1361618051168; Sat, 23 Feb 2013 03:14:11 -0800 (PST) Received: from jig.fritz.box (pD9EB2658.dip.t-dialin.net. [217.235.38.88]) by mx.google.com with ESMTPS id gy3sm1474145bkc.16.2013.02.23.03.14.09 (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 23 Feb 2013 03:14:10 -0800 (PST) From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 1/2] sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Date: Sat, 23 Feb 2013 12:13:47 +0100 Message-Id: <1361618028-9024-2-git-send-email-minipli@googlemail.com> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1361618028-9024-1-git-send-email-minipli@googlemail.com> References: <1361618028-9024-1-git-send-email-minipli@googlemail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX -- the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation. Signed-off-by: Mathias Krause Acked-by: Eric Dumazet --- net/core/sock_diag.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c index 602cd63..750f44f 100644 --- a/net/core/sock_diag.c +++ b/net/core/sock_diag.c @@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (nlmsg_len(nlh) < sizeof(*req)) return -EINVAL; + if (req->sdiag_family >= AF_MAX) + return -EINVAL; + hndl = sock_diag_lock_handler(req->sdiag_family); if (hndl == NULL) err = -ENOENT;