linux/include
Vegard Nossum 1045b03e07 netlink: fix overrun in attribute iteration
kmemcheck reported this:

  kmemcheck: Caught 16-bit read from uninitialized memory (f6c1ba30)
  0500110001508abf050010000500000002017300140000006f72672e66726565
   i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u
                                   ^

  Pid: 3462, comm: wpa_supplicant Not tainted (2.6.27-rc3-00054-g6397ab9-dirty #13)
  EIP: 0060:[<c05de64a>] EFLAGS: 00010296 CPU: 0
  EIP is at nla_parse+0x5a/0xf0
  EAX: 00000008 EBX: fffffffd ECX: c06f16c0 EDX: 00000005
  ESI: 00000010 EDI: f6c1ba30 EBP: f6367c6c ESP: c0a11e88
   DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
  CR0: 8005003b CR2: f781cc84 CR3: 3632f000 CR4: 000006d0
  DR0: c0ead9bc DR1: 00000000 DR2: 00000000 DR3: 00000000
  DR6: ffff4ff0 DR7: 00000400
   [<c05d4b23>] rtnl_setlink+0x63/0x130
   [<c05d5f75>] rtnetlink_rcv_msg+0x165/0x200
   [<c05ddf66>] netlink_rcv_skb+0x76/0xa0
   [<c05d5dfe>] rtnetlink_rcv+0x1e/0x30
   [<c05dda21>] netlink_unicast+0x281/0x290
   [<c05ddbe9>] netlink_sendmsg+0x1b9/0x2b0
   [<c05beef2>] sock_sendmsg+0xd2/0x100
   [<c05bf945>] sys_sendto+0xa5/0xd0
   [<c05bf9a6>] sys_send+0x36/0x40
   [<c05c03d6>] sys_socketcall+0x1e6/0x2c0
   [<c020353b>] sysenter_do_call+0x12/0x3f
   [<ffffffff>] 0xffffffff

This is the line in nla_ok():

  /**
   * nla_ok - check if the netlink attribute fits into the remaining bytes
   * @nla: netlink attribute
   * @remaining: number of bytes remaining in attribute stream
   */
  static inline int nla_ok(const struct nlattr *nla, int remaining)
  {
          return remaining >= sizeof(*nla) &&
                 nla->nla_len >= sizeof(*nla) &&
                 nla->nla_len <= remaining;
  }

It turns out that remaining can become negative due to alignment in
nla_next(). But GCC promotes "remaining" to unsigned in the test
against sizeof(*nla) above. Therefore the test succeeds, and the
nla_for_each_attr() may access memory outside the received buffer.

A short example illustrating this point is here:

  #include <stdio.h>

  main(void)
  {
          printf("%d\n", -1 >= sizeof(int));
  }

...which prints "1".

This patch adds a cast in front of the sizeof so that GCC will make
a signed comparison and fix the illegal memory dereference. With the
patch applied, there is no kmemcheck report.

Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-09-11 19:05:29 -07:00
..
acpi ACPICA: Additional error checking for pathname utilities 2008-08-15 02:12:16 +02:00
asm-arm [ARM] 5191/1: ARM: remove CVS keywords 2008-08-16 20:01:18 +01:00
asm-cris Reduce brokenness of CRIS headers_install 2008-08-20 13:19:51 -07:00
asm-frv FRV: Provide ioremap_wc() for FRV 2008-08-20 13:19:52 -07:00
asm-generic tracehook: comment pasto fixes 2008-09-05 14:39:38 -07:00
asm-m32r
asm-m68k m68k{,nommu}: Wire up new system calls 2008-08-11 10:37:34 -07:00
asm-mips [MIPS] Fix WARNING: at kernel/smp.c:290 2008-09-05 21:24:11 +01:00
asm-mn10300 MN10300: Supply ioremap_wc() for MN10300 2008-08-20 13:19:51 -07:00
asm-parisc
asm-um
asm-x86 x86: add NOPL as a synthetic CPU feature bit 2008-09-05 16:13:52 -07:00
asm-xtensa
crypto crypto: hash - Add missing top-level functions 2008-08-13 20:08:44 +10:00
drm
keys
linux Merge branch 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2008-09-08 15:47:21 -07:00
math-emu
media V4L/DVB (8610): Add suspend/resume capabilities to soc_camera. 2008-08-06 06:57:32 -03:00
mtd
net netlink: fix overrun in attribute iteration 2008-09-11 19:05:29 -07:00
pcmcia
rdma RDMA/cma: Remove padding arrays by using struct sockaddr_storage 2008-08-04 11:02:14 -07:00
rxrpc
scsi [SCSI] sd: fix USB devices incorrectly reporting DIF support 2008-08-06 10:49:23 -07:00
sound ALSA: ASoC: Export dapm_reg_event() fully 2008-07-29 16:00:33 +02:00
video atmel_lcdfb: add board parameter specify framebuffer memory size 2008-08-12 16:07:29 -07:00
xen
Kbuild