From: Tomas Bortoli <tomasbortoli@gmail.com> To: vyasevich@gmail.com, nhorman@tuxdriver.com, marcelo.leitner@gmail.com Cc: davem@davemloft.net, linux-sctp@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Tomas Bortoli <tomasbortoli@gmail.com> Subject: [PATCH] sctp: socket.c validate sprstat_policy Date: Sat, 27 Oct 2018 22:20:26 +0200 [thread overview] Message-ID: <20181027202026.32157-1-tomasbortoli@gmail.com> (raw) It is possible to perform out-of-bound reads on sctp_getsockopt_pr_streamstatus() and on sctp_getsockopt_pr_assocstatus() by passing from userspace a sprstat_policy that overflows the abandoned_sent/abandoned_unsent fixed length arrays. The over-read data are directly copied/leaked to userspace. Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com> Reported-by: syzbot+5da0d0a72a9e7d791748@syzkaller.appspotmail.com --- v2 - added forgot || net/sctp/socket.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index fc0386e8ff23..5290b8bd40c8 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -7083,7 +7083,8 @@ static int sctp_getsockopt_pr_assocstatus(struct sock *sk, int len, } policy = params.sprstat_policy; - if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))) + if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) || + __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX)) goto out; asoc = sctp_id2assoc(sk, params.sprstat_assoc_id); @@ -7142,7 +7143,8 @@ static int sctp_getsockopt_pr_streamstatus(struct sock *sk, int len, } policy = params.sprstat_policy; - if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))) + if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) || + __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX)) goto out; asoc = sctp_id2assoc(sk, params.sprstat_assoc_id); -- 2.11.0
WARNING: multiple messages have this Message-ID (diff)
From: Tomas Bortoli <tomasbortoli@gmail.com> To: vyasevich@gmail.com, nhorman@tuxdriver.com, marcelo.leitner@gmail.com Cc: davem@davemloft.net, linux-sctp@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Tomas Bortoli <tomasbortoli@gmail.com> Subject: [PATCH] sctp: socket.c validate sprstat_policy Date: Sat, 27 Oct 2018 20:20:26 +0000 [thread overview] Message-ID: <20181027202026.32157-1-tomasbortoli@gmail.com> (raw) In-Reply-To: <20181027195853.30243-1-tomasbortoli@gmail.com> It is possible to perform out-of-bound reads on sctp_getsockopt_pr_streamstatus() and on sctp_getsockopt_pr_assocstatus() by passing from userspace a sprstat_policy that overflows the abandoned_sent/abandoned_unsent fixed length arrays. The over-read data are directly copied/leaked to userspace. Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com> Reported-by: syzbot+5da0d0a72a9e7d791748@syzkaller.appspotmail.com --- v2 - added forgot || net/sctp/socket.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index fc0386e8ff23..5290b8bd40c8 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -7083,7 +7083,8 @@ static int sctp_getsockopt_pr_assocstatus(struct sock *sk, int len, } policy = params.sprstat_policy; - if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))) + if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) || + __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX)) goto out; asoc = sctp_id2assoc(sk, params.sprstat_assoc_id); @@ -7142,7 +7143,8 @@ static int sctp_getsockopt_pr_streamstatus(struct sock *sk, int len, } policy = params.sprstat_policy; - if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))) + if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) || + __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX)) goto out; asoc = sctp_id2assoc(sk, params.sprstat_assoc_id); -- 2.11.0
next reply other threads:[~2018-10-27 20:20 UTC|newest] Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-10-27 20:20 Tomas Bortoli [this message] 2018-10-27 20:20 ` [PATCH] sctp: socket.c validate sprstat_policy Tomas Bortoli 2018-10-27 20:43 ` Tomas Bortoli 2018-10-27 20:43 ` Tomas Bortoli 2018-10-28 0:03 ` David Miller 2018-10-28 0:03 ` David Miller -- strict thread matches above, loose matches on Subject: below -- 2018-10-27 19:58 Tomas Bortoli 2018-10-27 19:58 ` Tomas Bortoli 2018-10-27 20:50 ` kbuild test robot 2018-10-27 20:50 ` kbuild test robot 2018-10-27 20:53 ` kbuild test robot 2018-10-27 20:53 ` kbuild test robot
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20181027202026.32157-1-tomasbortoli@gmail.com \ --to=tomasbortoli@gmail.com \ --cc=davem@davemloft.net \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-sctp@vger.kernel.org \ --cc=marcelo.leitner@gmail.com \ --cc=netdev@vger.kernel.org \ --cc=nhorman@tuxdriver.com \ --cc=vyasevich@gmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.