| Message ID | 1559651505-18137-1-git-send-email-92siuyang@gmail.com |
|---|---|
| State | Rejected |
| Delegated to: | David Miller |
| Headers | show |
| Series | net: compat: fix msg_controllen overflow in scm_detach_fds_compat() | expand |
On 06/04/2019 02:31 PM, Young Xiao wrote: > There is a missing check between kmsg->msg_controllen and cmlen, > which can possibly lead to overflow. > > This bug is similar to vulnerability that was fixed in commit 6900317f5eff > ("net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds"). Back then I mentioned in commit 6900317f5eff: In case of MSG_CMSG_COMPAT (scm_detach_fds_compat()), I haven't seen an issue in my tests as alignment seems always on 4 byte boundary. Same should be in case of native 32 bit, where we end up with 4 byte boundaries as well. Do you have an actual reproducer or is it based on code inspection? > Signed-off-by: Young Xiao <92siuyang@gmail.com> > --- > net/compat.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/compat.c b/net/compat.c > index a031bd3..8e74dfb 100644 > --- a/net/compat.c > +++ b/net/compat.c > @@ -301,6 +301,8 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) > err = put_user(cmlen, &cm->cmsg_len); > if (!err) { > cmlen = CMSG_COMPAT_SPACE(i * sizeof(int)); > + if (kmsg->msg_controllen < cmlen) > + cmlen = kmsg->msg_controllen; > kmsg->msg_control += cmlen; > kmsg->msg_controllen -= cmlen; > } >
On Tue, Jun 4, 2019 at 8:46 PM Daniel Borkmann <daniel@iogearbox.net> wrote: > > On 06/04/2019 02:31 PM, Young Xiao wrote: > > There is a missing check between kmsg->msg_controllen and cmlen, > > which can possibly lead to overflow. > > > > This bug is similar to vulnerability that was fixed in commit 6900317f5eff > > ("net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds"). > > Back then I mentioned in commit 6900317f5eff: > > In case of MSG_CMSG_COMPAT (scm_detach_fds_compat()), I haven't seen an > issue in my tests as alignment seems always on 4 byte boundary. Same > should be in case of native 32 bit, where we end up with 4 byte boundaries > as well. > > Do you have an actual reproducer or is it based on code inspection? based on inspection. > > > Signed-off-by: Young Xiao <92siuyang@gmail.com> > > --- > > net/compat.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/net/compat.c b/net/compat.c > > index a031bd3..8e74dfb 100644 > > --- a/net/compat.c > > +++ b/net/compat.c > > @@ -301,6 +301,8 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) > > err = put_user(cmlen, &cm->cmsg_len); > > if (!err) { > > cmlen = CMSG_COMPAT_SPACE(i * sizeof(int)); > > + if (kmsg->msg_controllen < cmlen) > > + cmlen = kmsg->msg_controllen; > > kmsg->msg_control += cmlen; > > kmsg->msg_controllen -= cmlen; > > } > > >
diff --git a/net/compat.c b/net/compat.c index a031bd3..8e74dfb 100644 --- a/net/compat.c +++ b/net/compat.c @@ -301,6 +301,8 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) err = put_user(cmlen, &cm->cmsg_len); if (!err) { cmlen = CMSG_COMPAT_SPACE(i * sizeof(int)); + if (kmsg->msg_controllen < cmlen) + cmlen = kmsg->msg_controllen; kmsg->msg_control += cmlen; kmsg->msg_controllen -= cmlen; }
There is a missing check between kmsg->msg_controllen and cmlen, which can possibly lead to overflow. This bug is similar to vulnerability that was fixed in commit 6900317f5eff ("net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds"). Signed-off-by: Young Xiao <92siuyang@gmail.com> --- net/compat.c | 2 ++ 1 file changed, 2 insertions(+)