OpenE2K/linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
0b9f20dad0
linux/net
History
Eric Dumazet 93baec3258 ipv4: fix buffer overflow in ip_options_compile() 
[ Upstream commit 10ec9472f0 ]

There is a benign buffer overflow in ip_options_compile spotted by
AddressSanitizer[1] :

Its benign because we always can access one extra byte in skb->head
(because header is followed by struct skb_shared_info), and in this case
this byte is not even used.

[28504.910798] ==================================================================
[28504.912046] AddressSanitizer: heap-buffer-overflow in ip_options_compile
[28504.913170] Read of size 1 by thread T15843:
[28504.914026]  [<ffffffff81802f91>] ip_options_compile+0x121/0x9c0
[28504.915394]  [<ffffffff81804a0d>] ip_options_get_from_user+0xad/0x120
[28504.916843]  [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
[28504.918175]  [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
[28504.919490]  [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
[28504.920835]  [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
[28504.922208]  [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
[28504.923459]  [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
[28504.924722]
[28504.925106] Allocated by thread T15843:
[28504.925815]  [<ffffffff81804995>] ip_options_get_from_user+0x35/0x120
[28504.926884]  [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
[28504.927975]  [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
[28504.929175]  [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
[28504.930400]  [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
[28504.931677]  [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
[28504.932851]  [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
[28504.934018]
[28504.934377] The buggy address ffff880026382828 is located 0 bytes to the right
[28504.934377]  of 40-byte region [ffff880026382800, ffff880026382828)
[28504.937144]
[28504.937474] Memory state around the buggy address:
[28504.938430]  ffff880026382300: ........ rrrrrrrr rrrrrrrr rrrrrrrr
[28504.939884]  ffff880026382400: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.941294]  ffff880026382500: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
[28504.942504]  ffff880026382600: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.943483]  ffff880026382700: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.944511] >ffff880026382800: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
[28504.945573]                         ^
[28504.946277]  ffff880026382900: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.094949]  ffff880026382a00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.096114]  ffff880026382b00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.097116]  ffff880026382c00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.098472]  ffff880026382d00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.099804] Legend:
[28505.100269]  f - 8 freed bytes
[28505.100884]  r - 8 redzone bytes
[28505.101649]  . - 8 allocated bytes
[28505.102406]  x=1..7 - x allocated bytes + (8-x) redzone bytes
[28505.103637] ==================================================================

[1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-07-28 08:06:01 -07:00
..
9p 9p/trans_virtio.c: Fix broken zero-copy on vmalloc() buffers 2014-02-10 17:48:54 -08:00
802 neigh: use NEIGH_VAR_INIT in ndo_neigh_setup functions. 2014-01-16 11:31:58 -08:00
8021q vlan: free percpu stats in device destructor 2014-07-28 08:05:59 -07:00
appletalk appletalk: Fix socket referencing in skb 2014-07-28 08:06:00 -07:00
atm net: Fix some fallout from the etner_addr_copy() changes. 2014-01-21 18:57:26 -08:00
ax25 net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
batman-adv batman-adv: fix local TT check for outgoing arp requests in DAT 2014-05-31 13:20:39 -07:00
bluetooth Bluetooth: Allow change security level on ATT_CID in slave role 2014-07-09 11:18:26 -07:00
bridge bridge: Prevent insertion of FDB entry with disallowed vlan 2014-06-26 15:15:39 -04:00
caif net: Include appropriate header file in caif/cfsrvl.c 2014-02-09 17:32:49 -08:00
can net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:15:38 -04:00
ceph libceph: fix corruption when using page_count 0 page in rbd 2014-06-07 10:28:28 -07:00
core net-gre-gro: Fix a bug that breaks the forwarding path 2014-07-28 08:06:01 -07:00
dcb net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:15:38 -04:00
dccp dccp: re-enable debug macro 2014-02-16 23:45:00 -05:00
decnet net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:15:38 -04:00
dns_resolver dns_resolver: Null-terminate the right string 2014-07-28 08:06:01 -07:00
dsa dsa: Use ether_addr_copy 2014-01-21 18:13:05 -08:00
ethernet net: eth_type_trans() should use skb_header_pointer() 2014-01-16 15:30:31 -08:00
hsr hsr: off by one sanity check in hsr_register_frame_in() 2014-03-03 15:29:42 -05:00
ieee802154 6lowpan: fix lockdep splats 2014-02-10 17:51:29 -08:00
ipv4 ipv4: fix buffer overflow in ip_options_compile() 2014-07-28 08:06:01 -07:00
ipv6 net-gre-gro: Fix a bug that breaks the forwarding path 2014-07-28 08:06:01 -07:00
ipx net: Move prototype declaration to header file include/net/net_namespace.h from net/ipx/af_ipx.c 2014-02-09 17:32:50 -08:00
irda net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
iucv af_iucv: wrong mapping of sent and confirmed skbs 2014-06-30 20:11:51 -07:00
key selinux: add gfp argument to security_xfrm_policy_alloc and fix callers 2014-03-10 08:30:02 +01:00
l2tp l2tp: take PMTU from tunnel UDP socket 2014-05-31 13:20:33 -07:00
lapb
llc llc: remove noisy WARN from llc_mac_hdr_init 2014-01-28 18:01:32 -08:00
mac80211 mac80211: fix a memory leak on sta rate selection table 2014-07-09 11:18:26 -07:00
mac802154
mpls
netfilter netfilter: nf_nat: fix oops on netns removal 2014-07-09 11:18:28 -07:00
netlabel
netlink netlink: Fix handling of error from netlink_dump(). 2014-07-28 08:06:00 -07:00
netrom net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
nfc NFC: NCI: Fix NULL pointer dereference 2014-02-23 23:14:45 +01:00
openvswitch openvswitch: fix a possible deadlock and lockdep warning 2014-03-28 16:41:53 -04:00
packet net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:15:38 -04:00
phonet net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:15:38 -04:00
rds rds: prevent dereference of a NULL device in rds_iw_laddr_check 2014-04-14 06:50:04 -07:00
rfkill Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-01-25 11:17:34 -08:00
rose net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
rxrpc RxRPC fixes 2014-01-28 18:04:18 -08:00
sched net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:15:38 -04:00
sctp net: sctp: fix information leaks in ulpevent layer 2014-07-28 08:06:01 -07:00
sunrpc SUNRPC: Fix a module reference leak in svc_handle_xprt 2014-07-06 18:57:27 -07:00
tipc tipc: clear 'next'-pointer of message fragments before reassembly 2014-07-28 08:06:01 -07:00
unix net: unix: non blocking recvmsg() should not return -EINTR 2014-03-26 17:05:40 -04:00
vmw_vsock vsock: Make transport the proto owner 2014-05-31 13:20:36 -07:00
wimax
wireless cfg80211: add cfg80211_sched_scan_stopped_rtnl 2014-06-07 10:28:10 -07:00
x25 net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
xfrm net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:15:38 -04:00
compat.c x86, x32: Correct invalid use of user timespec in the kernel 2014-01-30 18:44:13 -08:00
Kconfig
Makefile net: move 6lowpan compression code to separate module 2014-01-15 15:36:38 -08:00
nonet.c
socket.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-03-13 20:38:36 -07:00
sysctl_net.c