| Message ID | 20170718042318.5309-1-alexander.levin@verizon.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
From: "Levin, Alexander (Sasha Levin)" <alexander.levin@verizon.com> Date: Tue, 18 Jul 2017 04:23:16 +0000 > ifr name is assumed to be a valid string by the kernel, but nothing > was forcing username to pass a valid string. > > In turn, this would cause panics as we tried to access the string > past it's valid memory. > > Signed-off-by: Sasha Levin <alexander.levin@verizon.com> Applied and queued up for -stable. dev_ifname() has the same bug, I'll post a patch for that.
--- a/net/core/dev_ioctl.c +++ b/net/core/dev_ioctl.c @@ -424,6 +424,8 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) if (copy_from_user(&iwr, arg, sizeof(iwr))) return -EFAULT; + iwr.ifr_name[sizeof(iwr.ifr_name) - 1] = 0; + return wext_handle_ioctl(net, &iwr, cmd, arg); }
ifr name is assumed to be a valid string by the kernel, but nothing was forcing username to pass a valid string. In turn, this would cause panics as we tried to access the string past it's valid memory. Signed-off-by: Sasha Levin <alexander.levin@verizon.com> --- net/core/dev_ioctl.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) index 82fd4c9c4a1b..7657ad6bc13d 100644