Patchwork [maverick,CVE,1/1] can: add missing socket check in can/raw release

login
register
mail settings
Submitter Andy Whitcroft
Date May 26, 2011, 4:07 p.m.
Message ID <1306426055-31069-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/97592/
State New
Headers show

Comments

Andy Whitcroft - May 26, 2011, 4:07 p.m.
From: Oliver Hartkopp <socketcan@hartkopp.net>

v2: added space after 'if' according code style.

We can get here with a NULL socket argument passed from userspace,
so we need to handle it accordingly.

Thanks to Dave Jones pointing at this issue in net/can/bcm.c

Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2011-1748
BugLink: http://bugs.launchpad.net/bugs/788694
(cherry picked from commit 10022a6c66e199d8f61d9044543f38785713cbbd)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 net/can/raw.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)
Tim Gardner - May 26, 2011, 4:11 p.m.
On 05/26/2011 10:07 AM, Andy Whitcroft wrote:
> From: Oliver Hartkopp<socketcan@hartkopp.net>
>
> v2: added space after 'if' according code style.
>
> We can get here with a NULL socket argument passed from userspace,
> so we need to handle it accordingly.
>
> Thanks to Dave Jones pointing at this issue in net/can/bcm.c
>
> Signed-off-by: Oliver Hartkopp<socketcan@hartkopp.net>
> Signed-off-by: David S. Miller<davem@davemloft.net>
>
> CVE-2011-1748
> BugLink: http://bugs.launchpad.net/bugs/788694
> (cherry picked from commit 10022a6c66e199d8f61d9044543f38785713cbbd)
> Signed-off-by: Andy Whitcroft<apw@canonical.com>
> ---
>   net/can/raw.c |    7 ++++++-
>   1 files changed, 6 insertions(+), 1 deletions(-)
>
> diff --git a/net/can/raw.c b/net/can/raw.c
> index 1650599..9ae3b9b 100644
> --- a/net/can/raw.c
> +++ b/net/can/raw.c
> @@ -281,7 +281,12 @@ static int raw_init(struct sock *sk)
>   static int raw_release(struct socket *sock)
>   {
>   	struct sock *sk = sock->sk;
> -	struct raw_sock *ro = raw_sk(sk);
> +	struct raw_sock *ro;
> +
> +	if (!sk)
> +		return 0;
> +
> +	ro = raw_sk(sk);
>
>   	unregister_netdevice_notifier(&ro->notifier);
>

Acked-by: Tim Gardner <tim.gardner@canonical.com>
Leann Ogasawara - May 26, 2011, 4:13 p.m.
On Thu, 2011-05-26 at 17:07 +0100, Andy Whitcroft wrote:
> From: Oliver Hartkopp <socketcan@hartkopp.net>
> 
> v2: added space after 'if' according code style.
> 
> We can get here with a NULL socket argument passed from userspace,
> so we need to handle it accordingly.
> 
> Thanks to Dave Jones pointing at this issue in net/can/bcm.c
> 
> Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> CVE-2011-1748
> BugLink: http://bugs.launchpad.net/bugs/788694
> (cherry picked from commit 10022a6c66e199d8f61d9044543f38785713cbbd)
> Signed-off-by: Andy Whitcroft <apw@canonical.com>

Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com>

> ---
>  net/can/raw.c |    7 ++++++-
>  1 files changed, 6 insertions(+), 1 deletions(-)
> 
> diff --git a/net/can/raw.c b/net/can/raw.c
> index 1650599..9ae3b9b 100644
> --- a/net/can/raw.c
> +++ b/net/can/raw.c
> @@ -281,7 +281,12 @@ static int raw_init(struct sock *sk)
>  static int raw_release(struct socket *sock)
>  {
>  	struct sock *sk = sock->sk;
> -	struct raw_sock *ro = raw_sk(sk);
> +	struct raw_sock *ro;
> +
> +	if (!sk)
> +		return 0;
> +
> +	ro = raw_sk(sk);
>  
>  	unregister_netdevice_notifier(&ro->notifier);
>  
> -- 
> 1.7.4.1
> 
>

Patch

diff --git a/net/can/raw.c b/net/can/raw.c
index 1650599..9ae3b9b 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -281,7 +281,12 @@  static int raw_init(struct sock *sk)
 static int raw_release(struct socket *sock)
 {
 	struct sock *sk = sock->sk;
-	struct raw_sock *ro = raw_sk(sk);
+	struct raw_sock *ro;
+
+	if (!sk)
+		return 0;
+
+	ro = raw_sk(sk);
 
 	unregister_netdevice_notifier(&ro->notifier);