From patchwork Thu Feb 28 11:59:37 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Henriques X-Patchwork-Id: 223950 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 4AA492C02AC for ; Thu, 28 Feb 2013 22:59:55 +1100 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1UB29G-0004yt-WC; Thu, 28 Feb 2013 11:59:42 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1UB29E-0004wz-BC for kernel-team@lists.ubuntu.com; Thu, 28 Feb 2013 11:59:40 +0000 Received: from [188.250.143.69] (helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1UB29D-0006IF-Sn; Thu, 28 Feb 2013 11:59:40 +0000 From: Luis Henriques To: Mathias Krause Subject: [ 3.5.y.z extended stable ] Patch "sock_diag: Fix out-of-bounds access to sock_diag_handlers[]" has been added to staging queue Date: Thu, 28 Feb 2013 11:59:37 +0000 Message-Id: <1362052777-21211-1-git-send-email-luis.henriques@canonical.com> X-Mailer: git-send-email 1.8.1.2 X-Extended-Stable: 3.5 Cc: Eric Dumazet , "David S. Miller" , kernel-team@lists.ubuntu.com X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This is a note to let you know that I have just added a patch titled sock_diag: Fix out-of-bounds access to sock_diag_handlers[] to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.5.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Luis ------ From e83c00b5daeaeef5635926d9e907f100f1bfa419 Mon Sep 17 00:00:00 2001 From: Mathias Krause Date: Sat, 23 Feb 2013 01:13:47 +0000 Subject: [PATCH] sock_diag: Fix out-of-bounds access to sock_diag_handlers[] commit 6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0 upstream. Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX -- the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation. Signed-off-by: Mathias Krause Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Luis Henriques --- net/core/sock_diag.c | 3 +++ 1 file changed, 3 insertions(+) -- 1.8.1.2 diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c index 5fd1467..964a92c 100644 --- a/net/core/sock_diag.c +++ b/net/core/sock_diag.c @@ -126,6 +126,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (nlmsg_len(nlh) < sizeof(*req)) return -EINVAL; + if (req->sdiag_family >= AF_MAX) + return -EINVAL; + hndl = sock_diag_lock_handler(req->sdiag_family); if (hndl == NULL) err = -ENOENT;