| From foo@baz Thu Jun 29 19:45:34 CEST 2017 |
| From: Mateusz Jurczyk <mjurczyk@google.com> |
| Date: Wed, 7 Jun 2017 16:14:29 +0200 |
| Subject: decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb |
| |
| From: Mateusz Jurczyk <mjurczyk@google.com> |
| |
| |
| [ Upstream commit dd0da17b209ed91f39872766634ca967c170ada1 ] |
| |
| Verify that the length of the socket buffer is sufficient to cover the |
| nlmsghdr structure before accessing the nlh->nlmsg_len field for further |
| input sanitization. If the client only supplies 1-3 bytes of data in |
| sk_buff, then nlh->nlmsg_len remains partially uninitialized and |
| contains leftover memory from the corresponding kernel allocation. |
| Operating on such data may result in indeterminate evaluation of the |
| nlmsg_len < sizeof(*nlh) expression. |
| |
| The bug was discovered by a runtime instrumentation designed to detect |
| use of uninitialized memory in the kernel. The patch prevents this and |
| other similar tools (e.g. KMSAN) from flagging this behavior in the future. |
| |
| Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/decnet/netfilter/dn_rtmsg.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/net/decnet/netfilter/dn_rtmsg.c |
| +++ b/net/decnet/netfilter/dn_rtmsg.c |
| @@ -104,7 +104,9 @@ static inline void dnrmg_receive_user_sk |
| { |
| struct nlmsghdr *nlh = nlmsg_hdr(skb); |
| |
| - if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len) |
| + if (skb->len < sizeof(*nlh) || |
| + nlh->nlmsg_len < sizeof(*nlh) || |
| + skb->len < nlh->nlmsg_len) |
| return; |
| |
| if (!netlink_capable(skb, CAP_NET_ADMIN)) |