Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/net
History
Eric Dumazet 36b526620d ipv4: fix buffer overflow in ip_options_compile() 
[ Upstream commit 10ec9472f05b45c94db3c854d22581a20b97db41 ]

There is a benign buffer overflow in ip_options_compile spotted by
AddressSanitizer[1] :

Its benign because we always can access one extra byte in skb->head
(because header is followed by struct skb_shared_info), and in this case
this byte is not even used.

[28504.910798] ==================================================================
[28504.912046] AddressSanitizer: heap-buffer-overflow in ip_options_compile
[28504.913170] Read of size 1 by thread T15843:
[28504.914026]  [<ffffffff81802f91>] ip_options_compile+0x121/0x9c0
[28504.915394]  [<ffffffff81804a0d>] ip_options_get_from_user+0xad/0x120
[28504.916843]  [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
[28504.918175]  [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
[28504.919490]  [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
[28504.920835]  [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
[28504.922208]  [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
[28504.923459]  [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
[28504.924722]
[28504.925106] Allocated by thread T15843:
[28504.925815]  [<ffffffff81804995>] ip_options_get_from_user+0x35/0x120
[28504.926884]  [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
[28504.927975]  [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
[28504.929175]  [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
[28504.930400]  [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
[28504.931677]  [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
[28504.932851]  [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
[28504.934018]
[28504.934377] The buggy address ffff880026382828 is located 0 bytes to the right
[28504.934377]  of 40-byte region [ffff880026382800, ffff880026382828)
[28504.937144]
[28504.937474] Memory state around the buggy address:
[28504.938430]  ffff880026382300: ........ rrrrrrrr rrrrrrrr rrrrrrrr
[28504.939884]  ffff880026382400: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.941294]  ffff880026382500: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
[28504.942504]  ffff880026382600: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.943483]  ffff880026382700: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.944511] >ffff880026382800: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
[28504.945573]                         ^
[28504.946277]  ffff880026382900: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.094949]  ffff880026382a00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.096114]  ffff880026382b00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.097116]  ffff880026382c00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.098472]  ffff880026382d00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.099804] Legend:
[28505.100269]  f - 8 freed bytes
[28505.100884]  r - 8 redzone bytes
[28505.101649]  . - 8 allocated bytes
[28505.102406]  x=1..7 - x allocated bytes + (8-x) redzone bytes
[28505.103637] ==================================================================

[1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2014-07-28 08:00:06 -07:00
..
9p 9p/trans_virtio.c: Fix broken zero-copy on vmalloc() buffers 2014-03-06 21:30:03 -08:00
802 net/802/mrp: fix lockdep splat 2013-05-14 13:02:30 -07:00
8021q 8021q: fix a potential memory leak 2014-07-28 08:00:04 -07:00
appletalk appletalk: Fix socket referencing in skb 2014-07-28 08:00:05 -07:00
atm net: rework recvmsg handler msg_name and msg_namelen logic 2013-12-08 07:29:25 -08:00
ax25 net: rework recvmsg handler msg_name and msg_namelen logic 2013-12-08 07:29:25 -08:00
batman-adv batman-adv: set up network coding packet handlers during module init 2013-11-20 12:27:47 -08:00
bluetooth Bluetooth: Fix locking of hdev when calling into SMP code 2014-07-09 11:14:01 -07:00
bridge bridge: Handle IFLA_ADDRESS correctly when creating bridge device 2014-05-30 21:52:16 -07:00
caif net: rework recvmsg handler msg_name and msg_namelen logic 2013-12-08 07:29:25 -08:00
can net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:12:37 -04:00
ceph libceph: fix corruption when using page_count 0 page in rbd 2014-06-07 13:25:40 -07:00
core ipv4: fix dst race in sk_dst_get() 2014-07-28 08:00:04 -07:00
dcb net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:12:37 -04:00
dccp net:dccp: do not report ICMP redirects to user space 2013-10-13 16:08:30 -07:00
decnet net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:12:37 -04:00
dns_resolver dns_resolver: Null-terminate the right string 2014-07-28 08:00:06 -07:00
dsa
ethernet
ieee802154 6lowpan: fix lockdep splats 2014-03-06 21:30:02 -08:00
ipv4 ipv4: fix buffer overflow in ip_options_compile() 2014-07-28 08:00:06 -07:00
ipv6 ipip, sit: fix ipv4_{update_pmtu,redirect} calls 2014-06-26 15:12:38 -04:00
ipx net: rework recvmsg handler msg_name and msg_namelen logic 2013-12-08 07:29:25 -08:00
irda net: rework recvmsg handler msg_name and msg_namelen logic 2013-12-08 07:29:25 -08:00
iucv af_iucv: wrong mapping of sent and confirmed skbs 2014-06-30 20:09:40 -07:00
key net: rework recvmsg handler msg_name and msg_namelen logic 2013-12-08 07:29:25 -08:00
l2tp l2tp: take PMTU from tunnel UDP socket 2014-05-30 21:52:14 -07:00
lapb
llc net: llc: fix use after free in llc_ui_recvmsg 2014-01-15 15:28:50 -08:00
mac80211 mac80211: fix a memory leak on sta rate selection table 2014-07-09 11:14:01 -07:00
mac802154
netfilter ipvs: Fix panic due to non-linear skb 2014-07-06 18:54:15 -07:00
netlabel netlabel: improve domain mapping validation 2013-05-19 14:49:55 -07:00
netlink netlink: Fix handling of error from netlink_dump(). 2014-07-28 08:00:05 -07:00
netrom net: rework recvmsg handler msg_name and msg_namelen logic 2013-12-08 07:29:25 -08:00
nfc net: rework recvmsg handler msg_name and msg_namelen logic 2013-12-08 07:29:25 -08:00
openvswitch
packet net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:12:37 -04:00
phonet net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:12:37 -04:00
rds rds: prevent dereference of a NULL device in rds_iw_laddr_check 2014-04-14 06:42:18 -07:00
rfkill
rose net: rose: restore old recvmsg behavior 2014-01-15 15:28:49 -08:00
rxrpc net: rework recvmsg handler msg_name and msg_namelen logic 2013-12-08 07:29:25 -08:00
sched net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:12:37 -04:00
sctp net: sctp: fix information leaks in ulpevent layer 2014-07-28 08:00:05 -07:00
sunrpc SUNRPC: Fix a module reference leak in svc_handle_xprt 2014-07-06 18:54:14 -07:00
tipc tipc: clear 'next'-pointer of message fragments before reassembly 2014-07-28 08:00:05 -07:00
unix net: unix: non blocking recvmsg() should not return -EINTR 2014-04-14 06:42:15 -07:00
vmw_vsock net: rework recvmsg handler msg_name and msg_namelen logic 2013-12-08 07:29:25 -08:00
wimax
wireless radiotap: fix bitmap-end-finding buffer overrun 2014-01-09 12:24:23 -08:00
x25 net: rework recvmsg handler msg_name and msg_namelen logic 2013-12-08 07:29:25 -08:00
xfrm net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:12:37 -04:00
Kconfig
Makefile
compat.c x86, x32: Correct invalid use of user timespec in the kernel 2014-02-06 11:08:12 -08:00
nonet.c
socket.c net: socket: error on a negative msg_namelen 2014-04-14 06:42:16 -07:00
sysctl_net.c net: Update the sysctl permissions handler to test effective uid/gid 2013-10-13 16:08:34 -07:00