Re: [patch] net: heap overflow in __audit_sockaddr()

question about klen in move_addr_to_user() · Dan Carpenter <hidden> · 2013-03-18
Re: question about klen in move_addr_to_user() · David Miller <davem@davemloft.net> · 2013-03-19
[patch] net: heap overflow in __audit_sockaddr() · Dan Carpenter <hidden> · 2013-10-02
Re: [patch] net: heap overflow in __audit_sockaddr() · Ben Hutchings <hidden> · 2013-10-02
Re: [patch] net: heap overflow in __audit_sockaddr() · Dan Carpenter <hidden> · 2013-10-02
[patch v2] net: heap overflow in __audit_sockaddr() · Dan Carpenter <hidden> · 2013-10-02
Re: [patch v2] net: heap overflow in __audit_sockaddr() · David Miller <davem@davemloft.net> · 2013-10-03
Re: [patch v2] net: heap overflow in __audit_sockaddr() · Eric Wong <hidden> · 2013-11-27
Re: [patch v2] net: heap overflow in __audit_sockaddr() · Hannes Frederic Sowa <hidden> · 2013-11-27
[patch] net: clamp ->msg_namelen instead of returning an error · Dan Carpenter <hidden> · 2013-11-27
Re: [patch] net: clamp ->msg_namelen instead of returning an error · Eric Wong <hidden> · 2013-11-27
Re: [patch] net: clamp ->msg_namelen instead of returning an error · Eric Dumazet <hidden> · 2013-11-27
Re: [patch] net: clamp ->msg_namelen instead of returning an error · David Miller <davem@davemloft.net> · 2013-11-29
Re: [patch v2] net: heap overflow in __audit_sockaddr() · Linus Torvalds <torvalds@linux-foundation.org> · 2013-11-27
Re: [patch v2] net: heap overflow in __audit_sockaddr() · Hannes Frederic Sowa <hidden> · 2013-11-27
RE: [patch v2] net: heap overflow in __audit_sockaddr() · David Laight <hidden> · 2013-11-27

From: Dan Carpenter <hidden>
Date: 2013-10-02 21:26:18

On Wed, Oct 02, 2013 at 10:11:46PM +0100, Ben Hutchings wrote:

On Wed, 2013-10-02 at 21:58 +0300, Dan Carpenter wrote:

quoted

We need to cap ->msg_namelen or it leads to a buffer overflow when we
to the memcpy() in __audit_sockaddr().  It requires CAP_AUDIT_CONTROL to
exploit this bug.

The call tree is:
___sys_recvmsg()
  move_addr_to_user()
    audit_sockaddr()
      __audit_sockaddr()

Reported-by: Jüri Aedla <redacted>
Signed-off-by: Dan Carpenter <redacted>

diff --git a/net/socket.c b/net/socket.c
index ebed4b6..c226ace 100644
--- a/net/socket.c
+++ b/net/socket.c

@@ -1964,6 +1964,16 @@ struct used_address {
 	unsigned int name_len;
 };
 
+static int copy_msghdr_from_user(struct msghdr *kmsg,
+				 struct msghdr __user *umsg)
+{
+	if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
+		return -EFAULT;
+	if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
+		return -EINVAL;
+	return 0;
+}
+
 static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
 			 struct msghdr *msg_sys, unsigned int flags,
 			 struct used_address *used_address)

@@ -1982,8 +1992,11 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
 	if (MSG_CMSG_COMPAT & flags) {
 		if (get_compat_msghdr(msg_sys, msg_compat))
 			return -EFAULT;
-	} else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
-		return -EFAULT;
+	} else {
+		err = copy_msghdr_from_user(msg_sys, msg);
+		if (err)
+			return err;
+	}

[...]

This doesn't cover compat tasks, since get_compat_msghdr() has no such
check.

Oops.  Gar...  Thanks for catching that.  I forgot to add that chunk to
the commit.

regards,
dan carpenter

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help