Bug 463879
Summary: | kernel: af_rose sendmsg length check | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | lwang, nhorman |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-12-17 06:57:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Eugene Teo (Security Response)
2008-09-25 03:39:45 UTC
I think Andrew is correct. The sys_sendmsg path will prevent the len parameter that is passed in to rose_sendmsg from ever being less than zero. As such, even if len in 0x7ffffff (on a 32 bit arch), size may go negative, but its use in allocations for skbufs will only be treated as unsigned. Im not sure why its not marked as unsigned to begin with (since it has no purpose being signed), but its harmless in this case That being said, there is a failure path, if the rose protocol is used by an in-kernel module. If a kernel module calls kernel_sendmsg on a socket bound to the rose protocol, it is possible to trigger this bug. So it may be worthwhile to fix this (although no modules that I'm aware of make use of AF_ROSE in the kernel. (In reply to comment #1) [...] > That being said, there is a failure path, if the rose protocol is used by an > in-kernel module. If a kernel module calls kernel_sendmsg on a socket bound to > the rose protocol, it is possible to trigger this bug. So it may be worthwhile > to fix this (although no modules that I'm aware of make use of AF_ROSE in the > kernel. Thanks Neil. As discussed over email, the checks for kernel_sendmsg are probably unnecessary. If the developer has the ability to load code into kernel space, he/she can do far worst than calling kernel_sendmsg in a kernel module with out of range arguments. |