linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kamal Mostafa <kamal@canonical.com>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
	kernel-team@lists.ubuntu.com
Cc: Ben Hutchings <ben@decadent.org.uk>,
	"David S. Miller" <davem@davemloft.net>,
	Kamal Mostafa <kamal@canonical.com>
Subject: [PATCH 3.13.y-ckt 02/96] ppp, slip: Validate VJ compression slot parameters completely
Date: Fri, 13 Nov 2015 13:48:16 -0800	[thread overview]
Message-ID: <1447451390-16480-3-git-send-email-kamal@canonical.com> (raw)
In-Reply-To: <1447451390-16480-1-git-send-email-kamal@canonical.com>

3.13.11-ckt30 -stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

commit 4ab42d78e37a294ac7bc56901d563c642e03c4ae upstream.

Currently slhc_init() treats out-of-range values of rslots and tslots
as equivalent to 0, except that if tslots is too large it will
dereference a null pointer (CVE-2015-7799).

Add a range-check at the top of the function and make it return an
ERR_PTR() on error instead of NULL.  Change the callers accordingly.

Compile-tested only.

Reported-by: 郭永刚 <guoyonggang@360.cn>
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/isdn/i4l/isdn_ppp.c   | 10 ++++------
 drivers/net/ppp/ppp_generic.c |  6 ++----
 drivers/net/slip/slhc.c       | 12 ++++++++----
 drivers/net/slip/slip.c       |  2 +-
 4 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
index 12bcce1..0ed6731 100644
--- a/drivers/isdn/i4l/isdn_ppp.c
+++ b/drivers/isdn/i4l/isdn_ppp.c
@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file)
 	 * VJ header compression init
 	 */
 	is->slcomp = slhc_init(16, 16);	/* not necessary for 2. link in bundle */
-	if (!is->slcomp) {
+	if (IS_ERR(is->slcomp)) {
 		isdn_ppp_ccp_reset_free(is);
-		return -ENOMEM;
+		return PTR_ERR(is->slcomp);
 	}
 #endif
 #ifdef CONFIG_IPPP_FILTER
@@ -574,10 +574,8 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg)
 			is->maxcid = val;
 #ifdef CONFIG_ISDN_PPP_VJ
 			sltmp = slhc_init(16, val);
-			if (!sltmp) {
-				printk(KERN_ERR "ippp, can't realloc slhc struct\n");
-				return -ENOMEM;
-			}
+			if (IS_ERR(sltmp))
+				return PTR_ERR(sltmp);
 			if (is->slcomp)
 				slhc_free(is->slcomp);
 			is->slcomp = sltmp;
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 5a1897d..a2d7d5f 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -716,10 +716,8 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 			val &= 0xffff;
 		}
 		vj = slhc_init(val2+1, val+1);
-		if (!vj) {
-			netdev_err(ppp->dev,
-				   "PPP: no memory (VJ compressor)\n");
-			err = -ENOMEM;
+		if (IS_ERR(vj)) {
+			err = PTR_ERR(vj);
 			break;
 		}
 		ppp_lock(ppp);
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index 1252d9c..b52eabc 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp);
 static unsigned char * put16(unsigned char *cp, unsigned short x);
 static unsigned short pull16(unsigned char **cpp);
 
-/* Initialize compression data structure
+/* Allocate compression data structure
  *	slots must be in range 0 to 255 (zero meaning no compression)
+ * Returns pointer to structure or ERR_PTR() on error.
  */
 struct slcompress *
 slhc_init(int rslots, int tslots)
@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots)
 	register struct cstate *ts;
 	struct slcompress *comp;
 
+	if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255)
+		return ERR_PTR(-EINVAL);
+
 	comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
 	if (! comp)
 		goto out_fail;
 
-	if ( rslots > 0  &&  rslots < 256 ) {
+	if (rslots > 0) {
 		size_t rsize = rslots * sizeof(struct cstate);
 		comp->rstate = kzalloc(rsize, GFP_KERNEL);
 		if (! comp->rstate)
@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots)
 		comp->rslot_limit = rslots - 1;
 	}
 
-	if ( tslots > 0  &&  tslots < 256 ) {
+	if (tslots > 0) {
 		size_t tsize = tslots * sizeof(struct cstate);
 		comp->tstate = kzalloc(tsize, GFP_KERNEL);
 		if (! comp->tstate)
@@ -141,7 +145,7 @@ out_free2:
 out_free:
 	kfree(comp);
 out_fail:
-	return NULL;
+	return ERR_PTR(-ENOMEM);
 }
 
 
diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
index 8752644..0641fcc 100644
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl, int mtu)
 	if (cbuff == NULL)
 		goto err_exit;
 	slcomp = slhc_init(16, 16);
-	if (slcomp == NULL)
+	if (IS_ERR(slcomp))
 		goto err_exit;
 #endif
 	spin_lock_bh(&sl->lock);
-- 
1.9.1


  parent reply	other threads:[~2015-11-13 22:20 UTC|newest]

Thread overview: 97+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-13 21:48 [3.13.y-ckt stable] Linux 3.13.11-ckt30 stable review Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 01/96] isdn_ppp: Add checks for allocation failure in isdn_ppp_open() Kamal Mostafa
2015-11-13 21:48 ` Kamal Mostafa [this message]
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 03/96] staging/dgnc: fix info leak in ioctl Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 04/96] regmap: debugfs: Ensure we don't underflow when printing access masks Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 05/96] regmap: debugfs: Don't bother actually printing when calculating max length Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 06/96] tools lib traceevent: Fix string handling in heterogeneous arch environments Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 07/96] perf tools: Fix copying of /proc/kcore Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 08/96] ASoC: db1200: Fix DAI link format for db1300 and db1550 Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 09/96] m68k: Define asmlinkage_protect Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 10/96] x86/xen: Support kexec/kdump in HVM guests by doing a soft reset Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 11/96] x86/xen: Do not clip xen_e820_map to xen_e820_map_entries when sanitizing map Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 12/96] UBI: return ENOSPC if no enough space available Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 13/96] s390/boot: fix boot of compressed kernel built with gcc 4.9 Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 14/96] s390/boot/decompression: disable floating point in decompressor Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 15/96] MIPS: dma-default: Fix 32-bit fall back to GFP_DMA Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 16/96] Initialize msg/shm IPC objects before doing ipc_addid() Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 17/96] drm/qxl: recreate the primary surface when the bo is not primary Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 18/96] genirq: Fix race in register_irq_proc() Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 19/96] KVM: nSVM: Check for NRIPS support before updating control field Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 20/96] Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 21/96] dm: fix AB-BA deadlock in __dm_destroy() Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 22/96] mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy a fault Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 23/96] [SMB3] Do not fall back to SMBWriteX in set_file_size error cases Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 24/96] x86/mm: Set NX on gap between __ex_table and rodata Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 25/96] ASoC: dwc: correct irq clear method Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 26/96] dm raid: fix round up of default region size Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 27/96] clocksource: Fix abs() usage w/ 64bit values Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 28/96] ALSA: hda - Apply SPDIF pin ctl to MacBookPro 12,1 Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 29/96] USB: Add reset-resume quirk for two Plantronics usb headphones Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 30/96] usb: Add device quirk for Logitech PTZ cameras Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 31/96] staging: speakup: fix speakup-r regression Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 32/96] ALSA: synth: Fix conflicting OSS device registration on AWE32 Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 33/96] arm64: readahead: fault retry breaks mmap file read random detection Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 34/96] dm cache: fix NULL pointer when switching from cleaner policy Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 35/96] dmaengine: dw: properly read DWC_PARAMS register Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 36/96] 3w-9xxx: don't unmap bounce buffered commands Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 37/96] mm/slab: fix unexpected index mapping result of kmalloc_size(INDEX_NODE+1) Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 38/96] workqueue: make sure delayed work run in local cpu Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 39/96] crypto: sparc - initialize blkcipher.ivsize Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 40/96] drm/nouveau/fbcon: take runpm reference when userspace has an open fd Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 41/96] arm64: errata: use KBUILD_CFLAGS_MODULE for erratum #843419 Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 42/96] crypto: ahash - ensure statesize is non-zero Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 43/96] dm thin: fix missing pool reference count decrement in pool_ctr error path Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 44/96] btrfs: fix use after free iterating extrefs Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 45/96] i2c: rcar: enable RuntimePM before registering to the core Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 46/96] i2c: s3c2410: " Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 47/96] i2c: designware-platdrv: " Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 48/96] i2c: designware: Do not use parameters from ACPI on Dell Inspiron 7348 Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 49/96] l2tp: protect tunnel->del_work by ref_count Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 50/96] af_unix: Convert the unix_sk macro to an inline function for type safety Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 51/96] af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 52/96] net/unix: fix logic about sk_peek_offset Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 53/96] skbuff: Fix skb checksum flag on skb pull Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 54/96] skbuff: Fix skb checksum partial check Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 55/96] net: add pfmemalloc check in sk_add_backlog() Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 56/96] ppp: don't override sk->sk_state in pppoe_flush_dev() Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 57/96] ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 58/96] asix: Don't reset PHY on if_up for ASIX 88772 Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 59/96] asix: Do full reset during ax88772_bind Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 60/96] ath9k: declare required extra tx headroom Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 61/96] iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb() Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 62/96] iwlwifi: dvm: fix D3 firmware PN programming Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 63/96] iwlwifi: mvm: " Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 64/96] iwlwifi: fix firmware filename for 3160 Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 65/96] iwlwifi: pci: add a few more PCI subvendor IDs for the 7265 series Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 66/96] ARM: orion: Fix DSA platform device after mvmdio conversion Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 67/96] xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing) Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 68/96] ALSA: hda - Fix inverted internal mic on Lenovo G50-80 Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 69/96] ASoC: Add info callback for SX_TLV controls Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 70/96] xhci: don't finish a TD if we get a short transfer event mid TD Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 71/96] xhci: handle no ping response error properly Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 72/96] xhci: Add spurious wakeup quirk for LynxPoint-LP controllers Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 73/96] ASoC: wm8904: Correct number of EQ registers Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 74/96] drm/nouveau/gem: return only valid domain when there's only one Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 75/96] powerpc/rtas: Validate rtas.entry before calling enter_rtas() Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 76/96] mm: make sendfile(2) killable Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 77/96] rbd: fix double free on rbd_dev->header_name Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 78/96] rbd: don't leak parent_spec in rbd_dev_probe_parent() Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 79/96] rbd: prevent kernel stack blow up on rbd map Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 80/96] dm btree remove: fix a bug when rebalancing nodes after removal Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 81/96] dm btree: fix leak of bufio-backed block in btree_split_beneath error path Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 82/96] IB/cm: Fix rb-tree duplicate free and use-after-free Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 83/96] module: Fix locking in symbol_put_addr() Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 84/96] crypto: api - Only abort operations on fatal signal Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 85/96] md/raid1: submit_bio_wait() returns 0 on success Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 86/96] md/raid10: " Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 87/96] iommu/amd: Don't clear DTE flags when modifying it Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 88/96] mvsas: Fix NULL pointer dereference in mvs_slot_task_free Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 89/96] Revert "ARM64: unwind: Fix PC calculation" Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 90/96] drm/radeon: move bl encoder assignment into bl init Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 91/96] rbd: require stable pages if message data CRCs are enabled Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 92/96] md/raid5: fix locking in handle_stripe_clean_event() Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 93/96] net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 94/96] ipv6: Fix IPsec pre-encap fragmentation check Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 95/96] ipv6: gre: support SIT encapsulation Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 96/96] ppp: fix pppoe_dev deletion condition in pppoe_release() Kamal Mostafa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1447451390-16480-3-git-send-email-kamal@canonical.com \
    --to=kamal@canonical.com \
    --cc=ben@decadent.org.uk \
    --cc=davem@davemloft.net \
    --cc=kernel-team@lists.ubuntu.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).