| From 60eaaa472507a098dc8ac6d2316efc9070a182f8 Mon Sep 17 00:00:00 2001 |
| From: Mathias Krause <minipli@googlemail.com> |
| Date: Thu, 13 Sep 2012 11:41:26 +0000 |
| Subject: [PATCH] xfrm_user: return error pointer instead of NULL |
| |
| commit 864745d291b5ba80ea0bd0edcbe67273de368836 upstream. |
| |
| When dump_one_state() returns an error, e.g. because of a too small |
| buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL |
| instead of an error pointer. But its callers expect an error pointer |
| and therefore continue to operate on a NULL skbuff. |
| |
| This could lead to a privilege escalation (execution of user code in |
| kernel context) if the attacker has CAP_NET_ADMIN and is able to map |
| address 0. |
| |
| Signed-off-by: Mathias Krause <minipli@googlemail.com> |
| Acked-by: Steffen Klassert <steffen.klassert@secunet.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| net/xfrm/xfrm_user.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c |
| index 44d18db58cbb..bbc09e0c1ae7 100644 |
| --- a/net/xfrm/xfrm_user.c |
| +++ b/net/xfrm/xfrm_user.c |
| @@ -765,6 +765,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, |
| { |
| struct xfrm_dump_info info; |
| struct sk_buff *skb; |
| + int err; |
| |
| skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); |
| if (!skb) |
| @@ -775,9 +776,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, |
| info.nlmsg_seq = seq; |
| info.nlmsg_flags = 0; |
| |
| - if (dump_one_state(x, 0, &info)) { |
| + err = dump_one_state(x, 0, &info); |
| + if (err) { |
| kfree_skb(skb); |
| - return NULL; |
| + return ERR_PTR(err); |
| } |
| |
| return skb; |
| -- |
| 1.8.5.2 |
| |
