projects / linux-2.6-block.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e75d039) | patch
net: sched: Fix memory exposure from short TCA_U32_SEL
authorKees Cook <keescook@chromium.org>
Sun, 26 Aug 2018 05:58:01 +0000 (22:58 -0700)
committerDavid S. Miller <davem@davemloft.net>
Sun, 26 Aug 2018 21:21:50 +0000 (14:21 -0700)
commit98c8f125fd8a6240ea343c1aa50a1be9047791b8
tree89585edf9ee579356c6ec71c73ef223acbab0ebatree | snapshot
parente75d039a54090470b7a42e803fd4f9398390f907commit | diff
net: sched: Fix memory exposure from short TCA_U32_SEL

Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink
policy, so max length isn't enforced, only minimum. This means nkeys
(from userspace) was being trusted without checking the actual size of
nla_len(), which could lead to a memory over-read, and ultimately an
exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within
a namespace.

Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/cls_u32.c diff | blob | blame | history
Linux 6.x block layer and io_uring tree(s)