From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933155Ab3BZX6j (ORCPT ); Tue, 26 Feb 2013 18:58:39 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:42265 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932999Ab3BZX6c (ORCPT ); Tue, 26 Feb 2013 18:58:32 -0500 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mathias Krause , Eric Dumazet , "David S. Miller" Subject: [ 135/150] sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Date: Tue, 26 Feb 2013 15:56:32 -0800 Message-Id: <20130226235538.312022308@linuxfoundation.org> X-Mailer: git-send-email 1.8.1.rc1.5.g7e0651a In-Reply-To: <20130226235523.930663721@linuxfoundation.org> References: <20130226235523.930663721@linuxfoundation.org> User-Agent: quilt/0.60-2.1.2 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.8-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mathias Krause [ Upstream commit 6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0 ] Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX -- the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation. Signed-off-by: Mathias Krause Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/core/sock_diag.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/core/sock_diag.c +++ b/net/core/sock_diag.c @@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk if (nlmsg_len(nlh) < sizeof(*req)) return -EINVAL; + if (req->sdiag_family >= AF_MAX) + return -EINVAL; + hndl = sock_diag_lock_handler(req->sdiag_family); if (hndl == NULL) err = -ENOENT;