Patchwork net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS

login
register
mail settings
Submitter Luis Henriques
Date March 11, 2013, 12:32 p.m.
Message ID <1363005139-4420-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/226557/
State New
Headers show

Comments

Luis Henriques - March 11, 2013, 12:32 p.m.
From: Guenter Roeck <linux@roeck-us.net>

CVE-2013-1828

BugLink: http://bugs.launchpad.net/bugs/1152791

Building sctp may fail with:

In function ‘copy_from_user’,
    inlined from ‘sctp_getsockopt_assoc_stats’ at
    net/sctp/socket.c:5656:20:
arch/x86/include/asm/uaccess_32.h:211:26: error: call to
    ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
    buffer size is not provably correct

if built with W=1 due to a missing parameter size validation
before the call to copy_from_user.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 726bc6b092da4c093eb74d13c07184b18c1af0f1)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/sctp/socket.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
Luis Henriques - March 11, 2013, 12:38 p.m.
Ups... I forgot to set the subject -- this is CVE-2013-1828 fix, for
Raring.

Cheers,
--
Luis

On Mon, Mar 11, 2013 at 12:32:19PM +0000, Luis Henriques wrote:
> From: Guenter Roeck <linux@roeck-us.net>
> 
> CVE-2013-1828
> 
> BugLink: http://bugs.launchpad.net/bugs/1152791
> 
> Building sctp may fail with:
> 
> In function ‘copy_from_user’,
>     inlined from ‘sctp_getsockopt_assoc_stats’ at
>     net/sctp/socket.c:5656:20:
> arch/x86/include/asm/uaccess_32.h:211:26: error: call to
>     ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
>     buffer size is not provably correct
> 
> if built with W=1 due to a missing parameter size validation
> before the call to copy_from_user.
> 
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Acked-by: Vlad Yasevich <vyasevich@gmail.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> (cherry picked from commit 726bc6b092da4c093eb74d13c07184b18c1af0f1)
> 
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> ---
>  net/sctp/socket.c |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index cedd9bf..9ef5c73 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
>  	if (len < sizeof(sctp_assoc_t))
>  		return -EINVAL;
>  
> +	/* Allow the struct to grow and fill in as much as possible */
> +	len = min_t(size_t, len, sizeof(sas));
> +
>  	if (copy_from_user(&sas, optval, len))
>  		return -EFAULT;
>  
> @@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
>  	/* Mark beginning of a new observation period */
>  	asoc->stats.max_obs_rto = asoc->rto_min;
>  
> -	/* Allow the struct to grow and fill in as much as possible */
> -	len = min_t(size_t, len, sizeof(sas));
> -
>  	if (put_user(len, optlen))
>  		return -EFAULT;
>  
> -- 
> 1.7.9.5
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Tim Gardner - March 11, 2013, 12:58 p.m.

Patch

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index cedd9bf..9ef5c73 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -5653,6 +5653,9 @@  static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
 	if (len < sizeof(sctp_assoc_t))
 		return -EINVAL;
 
+	/* Allow the struct to grow and fill in as much as possible */
+	len = min_t(size_t, len, sizeof(sas));
+
 	if (copy_from_user(&sas, optval, len))
 		return -EFAULT;
 
@@ -5686,9 +5689,6 @@  static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
 	/* Mark beginning of a new observation period */
 	asoc->stats.max_obs_rto = asoc->rto_min;
 
-	/* Allow the struct to grow and fill in as much as possible */
-	len = min_t(size_t, len, sizeof(sas));
-
 	if (put_user(len, optlen))
 		return -EFAULT;