release/5.2.55/AX.25-Prevent-out-of-bounds-read-in-ax25_sendmsg.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From f009f862e7f5b0eeaadb36fd2b5245ee5d9f00c0 Mon Sep 17 00:00:00 2001
 From: Peilin Ye <yepeilin.cs@gmail.com>
 Date: Wed, 22 Jul 2020 12:05:12 -0400
 Subject: [PATCH] AX.25: Prevent out-of-bounds read in ax25_sendmsg()

 commit 8885bb0621f01a6c82be60a91e5fc0f6e2f71186 upstream.

 Checks on `addr_len` and `usax->sax25_ndigis` are insufficient.
 ax25_sendmsg() can go out of bounds when `usax->sax25_ndigis` equals to 7
 or 8. Fix it.

 It is safe to remove `usax->sax25_ndigis > AX25_MAX_DIGIS`, since
 `addr_len` is guaranteed to be less than or equal to
 `sizeof(struct full_sockaddr_ax25)`

 Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
 index 085a6631eb22..dbe7ef2c7e75 100644
 --- a/net/ax25/af_ax25.c
 +++ b/net/ax25/af_ax25.c
 @@ -1509,7 +1509,8 @@ static int ax25_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
  			struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax;

  			/* Valid number of digipeaters ? */
 -			if (usax->sax25_ndigis < 1 || usax->sax25_ndigis > AX25_MAX_DIGIS) {
 +			if (usax->sax25_ndigis < 1 || addr_len < sizeof(struct sockaddr_ax25) +
 +			    sizeof(ax25_address) * usax->sax25_ndigis) {
  				err = -EINVAL;
  				goto out;
  			}
 --
 2.27.0
	From f009f862e7f5b0eeaadb36fd2b5245ee5d9f00c0 Mon Sep 17 00:00:00 2001
	From: Peilin Ye <yepeilin.cs@gmail.com>
	Date: Wed, 22 Jul 2020 12:05:12 -0400
	Subject: [PATCH] AX.25: Prevent out-of-bounds read in ax25_sendmsg()

	commit 8885bb0621f01a6c82be60a91e5fc0f6e2f71186 upstream.

	Checks on `addr_len` and `usax->sax25_ndigis` are insufficient.
	ax25_sendmsg() can go out of bounds when `usax->sax25_ndigis` equals to 7
	or 8. Fix it.

	It is safe to remove `usax->sax25_ndigis > AX25_MAX_DIGIS`, since
	`addr_len` is guaranteed to be less than or equal to
	`sizeof(struct full_sockaddr_ax25)`

	Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
	index 085a6631eb22..dbe7ef2c7e75 100644
	--- a/net/ax25/af_ax25.c
	+++ b/net/ax25/af_ax25.c
	@@ -1509,7 +1509,8 @@ static int ax25_sendmsg(struct socket sock, struct msghdr msg, size_t len)
	struct full_sockaddr_ax25 fsa = (struct full_sockaddr_ax25 )usax;

	/* Valid number of digipeaters ? */
	- if (usax->sax25_ndigis < 1 \|\| usax->sax25_ndigis > AX25_MAX_DIGIS) {
	+ if (usax->sax25_ndigis < 1 \|\| addr_len < sizeof(struct sockaddr_ax25) +
	+ sizeof(ax25_address) * usax->sax25_ndigis) {
	err = -EINVAL;
	goto out;
	}
	--
	2.27.0