| Message ID | 20170720075734.26552-2-po-hsu.lin@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 20.07.2017 09:57, Po-Hsu Lin wrote: > From: Dan Carpenter <dan.carpenter@oracle.com> > > CVE-2017-7487 > > We should call ipxitf_put() if the copy_to_user() fails. > > Reported-by: 李强 <liqiang6-s@360.cn> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit ee0d8d8482345ff97a75a7d747efc309f13b0d80) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > net/ipx/af_ipx.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c > index 6857ae4..654e39d 100644 > --- a/net/ipx/af_ipx.c > +++ b/net/ipx/af_ipx.c > @@ -1183,11 +1183,10 @@ static int ipxitf_ioctl(unsigned int cmd, void __user *arg) > sipx->sipx_network = ipxif->if_netnum; > memcpy(sipx->sipx_node, ipxif->if_node, > sizeof(sipx->sipx_node)); > - rc = -EFAULT; > + rc = 0; > if (copy_to_user(arg, &ifr, sizeof(ifr))) > - break; > + rc = -EFAULT; > ipxitf_put(ipxif); > - rc = 0; > break; > } > case SIOCAIPXITFCRT: >
On 20/07/17 08:57, Po-Hsu Lin wrote: > From: Dan Carpenter <dan.carpenter@oracle.com> > > CVE-2017-7487 > > We should call ipxitf_put() if the copy_to_user() fails. > > Reported-by: 李强 <liqiang6-s@360.cn> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit ee0d8d8482345ff97a75a7d747efc309f13b0d80) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> > --- > net/ipx/af_ipx.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c > index 6857ae4..654e39d 100644 > --- a/net/ipx/af_ipx.c > +++ b/net/ipx/af_ipx.c > @@ -1183,11 +1183,10 @@ static int ipxitf_ioctl(unsigned int cmd, void __user *arg) > sipx->sipx_network = ipxif->if_netnum; > memcpy(sipx->sipx_node, ipxif->if_node, > sizeof(sipx->sipx_node)); > - rc = -EFAULT; > + rc = 0; > if (copy_to_user(arg, &ifr, sizeof(ifr))) > - break; > + rc = -EFAULT; > ipxitf_put(ipxif); > - rc = 0; > break; > } > case SIOCAIPXITFCRT: > Clean cherry pick. Looks good. Acked-by: Colin Ian King <colin.king@canonical.com>
Applied to trusty and zesty master-next branches. Thanks, Kleber
diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c index 6857ae4..654e39d 100644 --- a/net/ipx/af_ipx.c +++ b/net/ipx/af_ipx.c @@ -1183,11 +1183,10 @@ static int ipxitf_ioctl(unsigned int cmd, void __user *arg) sipx->sipx_network = ipxif->if_netnum; memcpy(sipx->sipx_node, ipxif->if_node, sizeof(sipx->sipx_node)); - rc = -EFAULT; + rc = 0; if (copy_to_user(arg, &ifr, sizeof(ifr))) - break; + rc = -EFAULT; ipxitf_put(ipxif); - rc = 0; break; } case SIOCAIPXITFCRT: