linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] crypto_user: Fix out-of-bounds read
@ 2014-04-22 19:30 Andy Lutomirski
  2014-04-23 11:40 ` Dan Carpenter
  0 siblings, 1 reply; 4+ messages in thread
From: Andy Lutomirski @ 2014-04-22 19:30 UTC (permalink / raw)
  To: Herbert Xu, David S. Miller, linux-crypto, linux-kernel
  Cc: security, ebiederm, Andy Lutomirski, stable

This is unlikely to be exploitable for anything except an OOPS.

Cc: stable@vger.kernel.org
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
---

Notes:
    This is entirely untested, but it looks obviously correct to me.

 crypto/crypto_user.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
index 1512e41..bc7c4b5 100644
--- a/crypto/crypto_user.c
+++ b/crypto/crypto_user.c
@@ -460,7 +460,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 	int type, err;
 
 	type = nlh->nlmsg_type;
-	if (type > CRYPTO_MSG_MAX)
+	if (type < CRYPTO_MSG_BASE || type > CRYPTO_MSG_MAX)
 		return -EINVAL;
 
 	type -= CRYPTO_MSG_BASE;
-- 
1.9.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] crypto_user: Fix out-of-bounds read
  2014-04-22 19:30 [PATCH] crypto_user: Fix out-of-bounds read Andy Lutomirski
@ 2014-04-23 11:40 ` Dan Carpenter
  2014-04-23 15:48   ` Andy Lutomirski
  0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2014-04-23 11:40 UTC (permalink / raw)
  To: Andy Lutomirski
  Cc: Herbert Xu, David S. Miller, linux-crypto, linux-kernel,
	security, ebiederm, stable

On Tue, Apr 22, 2014 at 12:30:28PM -0700, Andy Lutomirski wrote:
> This is unlikely to be exploitable for anything except an OOPS.
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Andy Lutomirski <luto@amacapital.net>
> ---
> 
> Notes:
>     This is entirely untested, but it looks obviously correct to me.
> 
>  crypto/crypto_user.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
> index 1512e41..bc7c4b5 100644
> --- a/crypto/crypto_user.c
> +++ b/crypto/crypto_user.c
> @@ -460,7 +460,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>  	int type, err;
>  
>  	type = nlh->nlmsg_type;
> -	if (type > CRYPTO_MSG_MAX)
> +	if (type < CRYPTO_MSG_BASE || type > CRYPTO_MSG_MAX)
>  		return -EINVAL;

Adding a check here is obviously harmless but I think this is only
called from netlink_rcv_skb() which already checks:

	if (nlh->nlmsg_type < NLMSG_MIN_TYPE)
		goto ack;

NLMSG_MIN_TYPE is 0x10 as well, so I don't think we can hit your
condition.

Your patch freaked me out a little because this is one of the bugs that
I should have caught throught static analysis.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] crypto_user: Fix out-of-bounds read
  2014-04-23 11:40 ` Dan Carpenter
@ 2014-04-23 15:48   ` Andy Lutomirski
  2014-04-23 19:23     ` Dan Carpenter
  0 siblings, 1 reply; 4+ messages in thread
From: Andy Lutomirski @ 2014-04-23 15:48 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: linux-crypto, security, Herbert Xu, Eric W. Biederman,
	David S. Miller, stable, linux-kernel

On Apr 23, 2014 4:40 AM, "Dan Carpenter" <dan.carpenter@oracle.com> wrote:
>
> On Tue, Apr 22, 2014 at 12:30:28PM -0700, Andy Lutomirski wrote:
> > This is unlikely to be exploitable for anything except an OOPS.
> >
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Andy Lutomirski <luto@amacapital.net>
> > ---
> >
> > Notes:
> >     This is entirely untested, but it looks obviously correct to me.
> >
> >  crypto/crypto_user.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
> > index 1512e41..bc7c4b5 100644
> > --- a/crypto/crypto_user.c
> > +++ b/crypto/crypto_user.c
> > @@ -460,7 +460,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> >       int type, err;
> >
> >       type = nlh->nlmsg_type;
> > -     if (type > CRYPTO_MSG_MAX)
> > +     if (type < CRYPTO_MSG_BASE || type > CRYPTO_MSG_MAX)
> >               return -EINVAL;
>
> Adding a check here is obviously harmless but I think this is only
> called from netlink_rcv_skb() which already checks:
>
>         if (nlh->nlmsg_type < NLMSG_MIN_TYPE)
>                 goto ack;
>
> NLMSG_MIN_TYPE is 0x10 as well, so I don't think we can hit your
> condition.
>
> Your patch freaked me out a little because this is one of the bugs that
> I should have caught throught static analysis.

BUILD_BUG_ON(NLMSG_MIN_TYPE != CRYPTO_MSG_BASE) might be a better
thing to add, then.

I don't feel so bad for missing this.

>
> regards,
> dan carpenter
>

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] crypto_user: Fix out-of-bounds read
  2014-04-23 15:48   ` Andy Lutomirski
@ 2014-04-23 19:23     ` Dan Carpenter
  0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2014-04-23 19:23 UTC (permalink / raw)
  To: Andy Lutomirski
  Cc: linux-crypto, security, Herbert Xu, Eric W. Biederman,
	David S. Miller, stable, linux-kernel

On Wed, Apr 23, 2014 at 08:48:34AM -0700, Andy Lutomirski wrote:
> BUILD_BUG_ON(NLMSG_MIN_TYPE != CRYPTO_MSG_BASE) might be a better
> thing to add, then.

I don't have a strong opinion.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-04-23 19:24 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-22 19:30 [PATCH] crypto_user: Fix out-of-bounds read Andy Lutomirski
2014-04-23 11:40 ` Dan Carpenter
2014-04-23 15:48   ` Andy Lutomirski
2014-04-23 19:23     ` Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).