Message ID | 20210218193937.29184-3-cascardo@canonical.com |
---|---|
State | New |
Headers | show |
Series | CVE-2021-20194 | expand |
On 18/02/2021 19:39, Thadeu Lima de Souza Cascardo wrote: > From: Loris Reiff <loris.reiff@liblor.ch> > > Since ctx.optlen is signed, a larger value than max_value could be > passed, as it is later on used as unsigned, which causes a WARN_ON_ONCE > in the copy_to_user. > > Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") > Signed-off-by: Loris Reiff <loris.reiff@liblor.ch> > Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> > Reviewed-by: Stanislav Fomichev <sdf@google.com> > Link: https://lore.kernel.org/bpf/20210122164232.61770-2-loris.reiff@liblor.ch > (cherry picked from commit f4a2da755a7e1f5d845c52aee71336cee289935a) > CVE-2021-20194 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > kernel/bpf/cgroup.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c > index 7bae3686603e..c1fd5ca6fab6 100644 > --- a/kernel/bpf/cgroup.c > +++ b/kernel/bpf/cgroup.c > @@ -1439,7 +1439,7 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level, > goto out; > } > > - if (ctx.optlen > max_optlen) { > + if (ctx.optlen > max_optlen || ctx.optlen < 0) { > ret = -EFAULT; > goto out; > } > Acked-by: Colin Ian King <colin.king@canonical.com>
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index 7bae3686603e..c1fd5ca6fab6 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -1439,7 +1439,7 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level, goto out; } - if (ctx.optlen > max_optlen) { + if (ctx.optlen > max_optlen || ctx.optlen < 0) { ret = -EFAULT; goto out; }