Message ID | 1363005139-4420-1-git-send-email-luis.henriques@canonical.com |
---|---|
State | New |
Headers | show |
Ups... I forgot to set the subject -- this is CVE-2013-1828 fix, for Raring. Cheers, -- Luis On Mon, Mar 11, 2013 at 12:32:19PM +0000, Luis Henriques wrote: > From: Guenter Roeck <linux@roeck-us.net> > > CVE-2013-1828 > > BugLink: http://bugs.launchpad.net/bugs/1152791 > > Building sctp may fail with: > > In function ‘copy_from_user’, > inlined from ‘sctp_getsockopt_assoc_stats’ at > net/sctp/socket.c:5656:20: > arch/x86/include/asm/uaccess_32.h:211:26: error: call to > ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() > buffer size is not provably correct > > if built with W=1 due to a missing parameter size validation > before the call to copy_from_user. > > Signed-off-by: Guenter Roeck <linux@roeck-us.net> > Acked-by: Vlad Yasevich <vyasevich@gmail.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit 726bc6b092da4c093eb74d13c07184b18c1af0f1) > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > net/sctp/socket.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/net/sctp/socket.c b/net/sctp/socket.c > index cedd9bf..9ef5c73 100644 > --- a/net/sctp/socket.c > +++ b/net/sctp/socket.c > @@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len, > if (len < sizeof(sctp_assoc_t)) > return -EINVAL; > > + /* Allow the struct to grow and fill in as much as possible */ > + len = min_t(size_t, len, sizeof(sas)); > + > if (copy_from_user(&sas, optval, len)) > return -EFAULT; > > @@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len, > /* Mark beginning of a new observation period */ > asoc->stats.max_obs_rto = asoc->rto_min; > > - /* Allow the struct to grow and fill in as much as possible */ > - len = min_t(size_t, len, sizeof(sas)); > - > if (put_user(len, optlen)) > return -EFAULT; > > -- > 1.7.9.5 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index cedd9bf..9ef5c73 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len, if (len < sizeof(sctp_assoc_t)) return -EINVAL; + /* Allow the struct to grow and fill in as much as possible */ + len = min_t(size_t, len, sizeof(sas)); + if (copy_from_user(&sas, optval, len)) return -EFAULT; @@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len, /* Mark beginning of a new observation period */ asoc->stats.max_obs_rto = asoc->rto_min; - /* Allow the struct to grow and fill in as much as possible */ - len = min_t(size_t, len, sizeof(sas)); - if (put_user(len, optlen)) return -EFAULT;