Re: [PATCH net] tcp: don't read out-of-bounds opsize

From: David Miller
Date: Mon Apr 23 2018 - 09:52:58 EST

Next message: Vivek Goyal: "Re: [RFC PATCH 13/35] ovl: readd fsync"
Previous message: Arnaldo Carvalho de Melo: "Re: [PATCH] perf tools: set kernel end address properly"
In reply to: Eric Dumazet: "Re: [PATCH net] tcp: don't read out-of-bounds opsize"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jann Horn <jannh@xxxxxxxxxx>
Date: Fri, 20 Apr 2018 15:57:30 +0200

> The old code reads the "opsize" variable from out-of-bounds memory (first
> byte behind the segment) if a broken TCP segment ends directly after an
> opcode that is neither EOL nor NOP.
>
> The result of the read isn't used for anything, so the worst thing that
> could theoretically happen is a pagefault; and since the physmap is usually
> mostly contiguous, even that seems pretty unlikely.
>
> The following C reproducer triggers the uninitialized read - however, you
> can't actually see anything happen unless you put something like a
> pr_warn() in tcp_parse_md5sig_option() to print the opsize.
...
> Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
> Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>

Applied and queued up for -stable, thank you.

Next message: Vivek Goyal: "Re: [RFC PATCH 13/35] ovl: readd fsync"
Previous message: Arnaldo Carvalho de Melo: "Re: [PATCH] perf tools: set kernel end address properly"
In reply to: Eric Dumazet: "Re: [PATCH net] tcp: don't read out-of-bounds opsize"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]