Attachment 316712 Details for Bug 462281 – Upstream patch for this issue

[patch] Upstream patch for this issue

0001-netlink-fix-overrun-in-attribute-iteration.patch (text/plain), 3.10 KB, created by Eugene Teo (Security Response) on 2008-09-15 05:05:40 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Eugene Teo (Security Response)

Created: 2008-09-15 05:05:40 UTC

Size: 3.10 KB

patch

obsolete

>From 1045b03e07d85f3545118510a587035536030c1c Mon Sep 17 00:00:00 2001
>From: Vegard Nossum <vegard.nossum@gmail.com>
>Date: Thu, 11 Sep 2008 19:05:29 -0700
>Subject: [PATCH] netlink: fix overrun in attribute iteration
>
>kmemcheck reported this:
>
>  kmemcheck: Caught 16-bit read from uninitialized memory (f6c1ba30)
>  0500110001508abf050010000500000002017300140000006f72672e66726565
>   i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u
>                                   ^
>
>  Pid: 3462, comm: wpa_supplicant Not tainted (2.6.27-rc3-00054-g6397ab9-dirty #13)
>  EIP: 0060:[<c05de64a>] EFLAGS: 00010296 CPU: 0
>  EIP is at nla_parse+0x5a/0xf0
>  EAX: 00000008 EBX: fffffffd ECX: c06f16c0 EDX: 00000005
>  ESI: 00000010 EDI: f6c1ba30 EBP: f6367c6c ESP: c0a11e88
>   DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
>  CR0: 8005003b CR2: f781cc84 CR3: 3632f000 CR4: 000006d0
>  DR0: c0ead9bc DR1: 00000000 DR2: 00000000 DR3: 00000000
>  DR6: ffff4ff0 DR7: 00000400
>   [<c05d4b23>] rtnl_setlink+0x63/0x130
>   [<c05d5f75>] rtnetlink_rcv_msg+0x165/0x200
>   [<c05ddf66>] netlink_rcv_skb+0x76/0xa0
>   [<c05d5dfe>] rtnetlink_rcv+0x1e/0x30
>   [<c05dda21>] netlink_unicast+0x281/0x290
>   [<c05ddbe9>] netlink_sendmsg+0x1b9/0x2b0
>   [<c05beef2>] sock_sendmsg+0xd2/0x100
>   [<c05bf945>] sys_sendto+0xa5/0xd0
>   [<c05bf9a6>] sys_send+0x36/0x40
>   [<c05c03d6>] sys_socketcall+0x1e6/0x2c0
>   [<c020353b>] sysenter_do_call+0x12/0x3f
>   [<ffffffff>] 0xffffffff
>
>This is the line in nla_ok():
>
>  /**
>   * nla_ok - check if the netlink attribute fits into the remaining bytes
>   * @nla: netlink attribute
>   * @remaining: number of bytes remaining in attribute stream
>   */
>  static inline int nla_ok(const struct nlattr *nla, int remaining)
>  {
>          return remaining >= sizeof(*nla) &&
>                 nla->nla_len >= sizeof(*nla) &&
>                 nla->nla_len <= remaining;
>  }
>
>It turns out that remaining can become negative due to alignment in
>nla_next(). But GCC promotes "remaining" to unsigned in the test
>against sizeof(*nla) above. Therefore the test succeeds, and the
>nla_for_each_attr() may access memory outside the received buffer.
>
>A short example illustrating this point is here:
>
>  #include <stdio.h>
>
>  main(void)
>  {
>          printf("%d\n", -1 >= sizeof(int));
>  }
>
>...which prints "1".
>
>This patch adds a cast in front of the sizeof so that GCC will make
>a signed comparison and fix the illegal memory dereference. With the
>patch applied, there is no kmemcheck report.
>
>Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
>Acked-by: Thomas Graf <tgraf@suug.ch>
>Signed-off-by: David S. Miller <davem@davemloft.net>
>---
> include/net/netlink.h |    2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
>diff --git a/include/net/netlink.h b/include/net/netlink.h
>index 18024b8..208fe5a 100644
>--- a/include/net/netlink.h
>+++ b/include/net/netlink.h
>@@ -702,7 +702,7 @@ static inline int nla_len(const struct nlattr *nla)
>  */
> static inline int nla_ok(const struct nlattr *nla, int remaining)
> {
>-	return remaining >= sizeof(*nla) &&
>+	return remaining >= (int) sizeof(*nla) &&
> 	       nla->nla_len >= sizeof(*nla) &&
> 	       nla->nla_len <= remaining;
> }
>-- 
>1.5.5.1
>

Actions: View | Diff

Attachments on bug 462281: 316712 | 316713