Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / fd9b13e6c175b01d61f0f234502919c6c40e4dd2
commitfd9b13e6c175b01d61f0f234502919c6c40e4dd2[log] [tgz]
authorMateusz Jurczyk <mjurczyk@google.com>Wed Jun 07 16:14:29 2017 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Wed Jul 05 14:40:14 2017 +0200
treee1b2e55d453a6faad084b1e16ee3c2184b779330
parentd2f459e3feb0f73d2e95ab7892adcf22f21fe9ef [diff]
decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb


[ Upstream commit dd0da17b209ed91f39872766634ca967c170ada1 ]

Verify that the length of the socket buffer is sufficient to cover the
nlmsghdr structure before accessing the nlh->nlmsg_len field for further
input sanitization. If the client only supplies 1-3 bytes of data in
sk_buff, then nlh->nlmsg_len remains partially uninitialized and
contains leftover memory from the corresponding kernel allocation.
Operating on such data may result in indeterminate evaluation of the
nlmsg_len < sizeof(*nlh) expression.

The bug was discovered by a runtime instrumentation designed to detect
use of uninitialized memory in the kernel. The patch prevents this and
other similar tools (e.g. KMSAN) from flagging this behavior in the future.

Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: e1b2e55d453a6faad084b1e16ee3c2184b779330
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS