Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL

From: David Miller
Date: Sun Aug 26 2018 - 17:23:00 EST

Next message: Al Viro: "Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL"
Previous message: Alan Tull: "Re: [PATCH 2/2] fpga: dfl-fme-region: Use platform_get_drvdata()"
In reply to: Al Viro: "Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Kees Cook <keescook@xxxxxxxxxxxx>
Date: Sat, 25 Aug 2018 22:58:01 -0700

> Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink
> policy, so max length isn't enforced, only minimum. This means nkeys
> (from userspace) was being trusted without checking the actual size of
> nla_len(), which could lead to a memory over-read, and ultimately an
> exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within
> a namespace.
>
> Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>

I'll apply this as-is and queued it up for -stable.

If we want to avoid sizeof(*p) type stuff, it can be done as a follow-up.

Thanks.

Next message: Al Viro: "Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL"
Previous message: Alan Tull: "Re: [PATCH 2/2] fpga: dfl-fme-region: Use platform_get_drvdata()"
In reply to: Al Viro: "Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]