Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-17 02:36:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

net: add validation for the socket syscall protocol argument

Browse Source 
commit 79462ad02e861803b3840cc782248c7359451cd9 upstream.

郭永刚 reported that one could simply crash the kernel as root by
using a simple program:

	int socket_fd;
	struct sockaddr_in addr;
	addr.sin_port = 0;
	addr.sin_addr.s_addr = INADDR_ANY;
	addr.sin_family = 10;

	socket_fd = socket(10,3,0x40000000);
	connect(socket_fd , &addr,16);

AF_INET, AF_INET6 sockets actually only support 8-bit protocol
identifiers. inet_sock's skc_protocol field thus is sized accordingly,
thus larger protocol identifiers simply cut off the higher bits and
store a zero in the protocol fields.

This could lead to e.g. NULL function pointer because as a result of
the cut off inet_num is zero and we call down to inet_autobind, which
is NULL for raw sockets.

kernel: Call Trace:
kernel:  [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
kernel:  [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
kernel:  [<ffffffff81645069>] SYSC_connect+0xd9/0x110
kernel:  [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
kernel:  [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
kernel:  [<ffffffff81645e0e>] SyS_connect+0xe/0x10
kernel:  [<ffffffff81779515>] tracesys_phase2+0x84/0x89

I found no particular commit which introduced this problem.

CVE: CVE-2015-8543
Cc: Cong Wang <cwang@twopensource.com>
Reported-by: 郭永刚 <guoyonggang@360.cn>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 2.6.32: open-code U8_MAX; adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Willy Tarreau <w@1wt.eu>
This commit is contained in:
Hannes Frederic Sowa 2015-12-14 22:03:39 +01:00 committed by Willy Tarreau
parent 67fbe958a5
commit be9b6c2946
6 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/net/sock.h
View File

@ -230,6 +230,7 @@ struct sock {
sk_no_check : 2,
sk_userlocks : 4,
sk_protocol : 8,
#define SK_PROTOCOL_MAX ((u8)~0U)
sk_type : 16;
kmemcheck_bitfield_end(flags);
int sk_rcvbuf;

3
net/ax25/af_ax25.c
View File

@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol)
struct sock *sk;
ax25_cb *ax25;
if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
return -EINVAL;
if (net != &init_net)
return -EAFNOSUPPORT;

3
net/decnet/af_decnet.c
View File

@ -679,6 +679,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol)
{
struct sock *sk;
if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
return -EINVAL;
if (net != &init_net)
return -EAFNOSUPPORT;

3
net/ipv4/af_inet.c
View File

@ -273,6 +273,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol)
int try_loading_module = 0;
int err;
if (protocol < 0 || protocol >= IPPROTO_MAX)
return -EINVAL;
if (unlikely(!inet_ehash_secret))
if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM)
build_ehash_secret();

3
net/ipv6/af_inet6.c
View File

@ -107,6 +107,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol)
int try_loading_module = 0;
int err;
if (protocol < 0 || protocol >= IPPROTO_MAX)
return -EINVAL;
if (sock->type != SOCK_RAW &&
sock->type != SOCK_DGRAM &&
!inet_ehash_secret)

3
net/irda/af_irda.c
View File

@ -1069,6 +1069,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol)
IRDA_DEBUG(2, "%s()\n", __func__);
if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
return -EINVAL;
if (net != &init_net)
return -EAFNOSUPPORT;