[kernel] r19267 - in dists/sid/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at alioth.debian.org
Sat Jul 21 18:38:09 UTC 2012
Author: benh
Date: Sat Jul 21 18:38:08 2012
New Revision: 19267
Log:
cipso: don't follow a NULL pointer when setsockopt() is called
Added:
dists/sid/linux/debian/patches/bugfix/all/cipso-don-t-follow-a-NULL-pointer-when-setsockopt-is.patch
Modified:
dists/sid/linux/debian/changelog
dists/sid/linux/debian/patches/series
Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog Sat Jul 21 18:06:28 2012 (r19266)
+++ dists/sid/linux/debian/changelog Sat Jul 21 18:38:08 2012 (r19267)
@@ -40,6 +40,7 @@
* e100: ucode is optional in some cases
* [x86] drm/i915: prefer wide & slow to fast & narrow in DP configs
(Closes: #658662)
+ * cipso: don't follow a NULL pointer when setsockopt() is called
[ Arnaud Patard ]
* [mipsel] add r8169 to d-i udeb.
Added: dists/sid/linux/debian/patches/bugfix/all/cipso-don-t-follow-a-NULL-pointer-when-setsockopt-is.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/cipso-don-t-follow-a-NULL-pointer-when-setsockopt-is.patch Sat Jul 21 18:38:08 2012 (r19267)
@@ -0,0 +1,89 @@
+From: Paul Moore <pmoore at redhat.com>
+Date: Tue, 17 Jul 2012 11:07:47 +0000
+Subject: cipso: don't follow a NULL pointer when setsockopt() is called
+
+commit 89d7ae34cdda4195809a5a987f697a517a2a3177 upstream.
+
+As reported by Alan Cox, and verified by Lin Ming, when a user
+attempts to add a CIPSO option to a socket using the CIPSO_V4_TAG_LOCAL
+tag the kernel dies a terrible death when it attempts to follow a NULL
+pointer (the skb argument to cipso_v4_validate() is NULL when called via
+the setsockopt() syscall).
+
+This patch fixes this by first checking to ensure that the skb is
+non-NULL before using it to find the incoming network interface. In
+the unlikely case where the skb is NULL and the user attempts to add
+a CIPSO option with the _TAG_LOCAL tag we return an error as this is
+not something we want to allow.
+
+A simple reproducer, kindly supplied by Lin Ming, although you must
+have the CIPSO DOI #3 configure on the system first or you will be
+caught early in cipso_v4_validate():
+
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <linux/ip.h>
+ #include <linux/in.h>
+ #include <string.h>
+
+ struct local_tag {
+ char type;
+ char length;
+ char info[4];
+ };
+
+ struct cipso {
+ char type;
+ char length;
+ char doi[4];
+ struct local_tag local;
+ };
+
+ int main(int argc, char **argv)
+ {
+ int sockfd;
+ struct cipso cipso = {
+ .type = IPOPT_CIPSO,
+ .length = sizeof(struct cipso),
+ .local = {
+ .type = 128,
+ .length = sizeof(struct local_tag),
+ },
+ };
+
+ memset(cipso.doi, 0, 4);
+ cipso.doi[3] = 3;
+
+ sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+ #define SOL_IP 0
+ setsockopt(sockfd, SOL_IP, IP_OPTIONS,
+ &cipso, sizeof(struct cipso));
+
+ return 0;
+ }
+
+CC: Lin Ming <mlin at ss.pku.edu.cn>
+Reported-by: Alan Cox <alan at lxorguk.ukuu.org.uk>
+Signed-off-by: Paul Moore <pmoore at redhat.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/cipso_ipv4.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index c48adc5..667c1d4 100644
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1725,8 +1725,10 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option)
+ case CIPSO_V4_TAG_LOCAL:
+ /* This is a non-standard tag that we only allow for
+ * local connections, so if the incoming interface is
+- * not the loopback device drop the packet. */
+- if (!(skb->dev->flags & IFF_LOOPBACK)) {
++ * not the loopback device drop the packet. Further,
++ * there is no legitimate reason for setting this from
++ * userspace so reject it if skb is NULL. */
++ if (skb == NULL || !(skb->dev->flags & IFF_LOOPBACK)) {
+ err_offset = opt_iter;
+ goto validate_return_locked;
+ }
Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series Sat Jul 21 18:06:28 2012 (r19266)
+++ dists/sid/linux/debian/patches/series Sat Jul 21 18:38:08 2012 (r19267)
@@ -381,3 +381,4 @@
features/all/fermi-accel/drm-nouveau-bump-version-to-1.0.0.patch
bugfix/all/net-e100-ucode-is-optional-in-some-cases.patch
bugfix/x86/drm-i915-prefer-wide-slow-to-fast-narrow-in-DP-confi.patch
+bugfix/all/cipso-don-t-follow-a-NULL-pointer-when-setsockopt-is.patch
More information about the Kernel-svn-changes
mailing list