iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net/ipv4
History
Eric Dumazet 10ec9472f0 ipv4: fix buffer overflow in ip_options_compile() 
There is a benign buffer overflow in ip_options_compile spotted by
AddressSanitizer[1] :

Its benign because we always can access one extra byte in skb->head
(because header is followed by struct skb_shared_info), and in this case
this byte is not even used.

[28504.910798] ==================================================================
[28504.912046] AddressSanitizer: heap-buffer-overflow in ip_options_compile
[28504.913170] Read of size 1 by thread T15843:
[28504.914026]  [<ffffffff81802f91>] ip_options_compile+0x121/0x9c0
[28504.915394]  [<ffffffff81804a0d>] ip_options_get_from_user+0xad/0x120
[28504.916843]  [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
[28504.918175]  [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
[28504.919490]  [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
[28504.920835]  [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
[28504.922208]  [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
[28504.923459]  [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
[28504.924722]
[28504.925106] Allocated by thread T15843:
[28504.925815]  [<ffffffff81804995>] ip_options_get_from_user+0x35/0x120
[28504.926884]  [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
[28504.927975]  [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
[28504.929175]  [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
[28504.930400]  [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
[28504.931677]  [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
[28504.932851]  [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
[28504.934018]
[28504.934377] The buggy address ffff880026382828 is located 0 bytes to the right
[28504.934377]  of 40-byte region [ffff880026382800, ffff880026382828)
[28504.937144]
[28504.937474] Memory state around the buggy address:
[28504.938430]  ffff880026382300: ........ rrrrrrrr rrrrrrrr rrrrrrrr
[28504.939884]  ffff880026382400: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.941294]  ffff880026382500: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
[28504.942504]  ffff880026382600: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.943483]  ffff880026382700: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.944511] >ffff880026382800: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
[28504.945573]                         ^
[28504.946277]  ffff880026382900: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.094949]  ffff880026382a00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.096114]  ffff880026382b00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.097116]  ffff880026382c00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.098472]  ffff880026382d00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.099804] Legend:
[28505.100269]  f - 8 freed bytes
[28505.100884]  r - 8 redzone bytes
[28505.101649]  . - 8 allocated bytes
[28505.102406]  x=1..7 - x allocated bytes + (8-x) redzone bytes
[28505.103637] ==================================================================

[1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-07-21 20:16:26 -07:00
..
netfilter
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2014-05-30 17:54:47 -07:00
af_inet.c
net-gre-gro: Fix a bug that breaks the forwarding path
2014-07-16 14:45:26 -07:00
ah4.c
ah4: Use the IPsec protocol multiplexer API
2014-02-25 07:04:17 +01:00
arp.c
ipv4: arp: update neighbour address when a gratuitous arp is received and arp_accept is set
2014-01-02 00:08:38 -05:00
cipso_ipv4.c
ipv4: ERROR: code indent should use tabs where possible
2013-12-26 13:43:21 -05:00
datagram.c
ipv4: fix a race in ip4_datagram_release_cb()
2014-06-11 15:39:18 -07:00
devinet.c
ipv4: minor spelling fix
2014-05-18 21:10:29 -04:00
esp4.c
esp4: Use the IPsec protocol multiplexer API
2014-02-25 07:04:17 +01:00
fib_frontend.c
ipv4, fib: pass LOOPBACK_IFINDEX instead of 0 to flowi4_iif
2014-04-16 15:05:11 -04:00
fib_lookup.h
ipv4: make fib_detect_death static
2013-12-28 17:01:46 -05:00
fib_rules.c
inet: fix NULL pointer Oops in fib(6)_rule_suppress
2013-12-10 17:54:23 -05:00
fib_semantics.c
ipv4: fib_semantics: increment fib_info_cnt after fib_info allocation
2014-05-07 17:14:32 -04:00
fib_trie.c
net: Revert "fib_trie: use seq_file_net rather than seq->private"
2014-06-04 15:11:41 -07:00
gre_demux.c
GRE: enable offloads for GRE
2014-07-11 13:53:39 -07:00
gre_offload.c
net-gre-gro: Fix a bug that breaks the forwarding path
2014-07-16 14:45:26 -07:00
icmp.c
ipv4: icmp: Fix pMTU handling for rare case
2014-07-07 17:22:57 -07:00
igmp.c
igmp: fix the problem when mc leave group
2014-07-07 21:30:55 -07:00
inet_connection_sock.c
ipv4: make ip_local_reserved_ports per netns
2014-05-14 15:31:45 -04:00
inet_diag.c
inet_diag: fix inet_diag_dump_icsk() to use correct state for timewait sockets
2014-01-13 22:35:46 -08:00
inet_fragment.c
inet: frag: make sure forced eviction removes all frags
2014-03-06 15:28:45 -05:00
inet_hashtables.c
net: Use a more standard macro for INET_ADDR_COOKIE
2014-05-14 16:07:23 -04:00
inet_lro.c
lro: remove dead code
2013-12-29 16:34:25 -05:00
inet_timewait_sock.c
tcp/dccp: remove twchain
2013-10-08 23:19:24 -04:00
inetpeer.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2014-06-12 14:27:40 -07:00
ip_forward.c
net: rename local_df to ignore_df
2014-05-12 14:03:41 -04:00
ip_fragment.c
ipv4: fix "conntrack zones" support for defrag user check in ip_expire
2014-05-05 16:02:59 +02:00
ip_gre.c
gre: allow changing mac address when device is up
2014-06-10 22:46:42 -07:00
ip_input.c
net: Fix memory leak if TPROXY used with TCP early demux
2014-01-27 16:22:11 -08:00
ip_options.c
ipv4: fix buffer overflow in ip_options_compile()
2014-07-21 20:16:26 -07:00
ip_output.c
inetpeer: get rid of ip_id_count
2014-06-02 11:00:41 -07:00
ip_sockglue.c
ipv4: yet another new IP_MTU_DISCOVER option IP_PMTUDISC_OMIT
2014-02-26 15:51:00 -05:00
ip_tunnel_core.c
net: Support for multiple checksums with gso
2014-06-04 22:46:38 -07:00
ip_tunnel.c
ip_tunnel: fix ip_tunnel_lookup
2014-07-08 19:35:09 -07:00
ip_vti.c
ip_vti: Fix 'ip tunnel add' with 'key' parameters
2014-06-11 00:30:52 -07:00
ipcomp.c
ipcomp4: Use the IPsec protocol multiplexer API
2014-02-25 07:04:17 +01:00
ipconfig.c
ipv4: ipconfig.c: add parentheses in an if statement
2014-02-14 00:14:23 -05:00
ipip.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2014-06-11 16:02:55 -07:00
ipmr.c
inetpeer: get rid of ip_id_count
2014-06-02 11:00:41 -07:00
Kconfig
net: neighbour: Remove CONFIG_ARPD
2013-09-03 21:41:43 -04:00
Makefile
xfrm4: Add IPsec protocol multiplexer
2014-02-25 07:04:16 +01:00
netfilter.c
netfilter: remove double colon
2014-02-19 11:41:25 +01:00
ping.c
ping: move ping_group_range out of CONFIG_SYSCTL
2014-05-08 22:50:47 -04:00
proc.c
net: clean up snmp stats code
2014-05-07 16:06:05 -04:00
protocol.c
net: remove outdated comment for ipv4 and ipv6 protocol handler
2013-11-28 18:47:51 -05:00
raw.c
inetpeer: get rid of ip_id_count
2014-06-02 11:00:41 -07:00
route.c
ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix
2014-06-30 23:40:58 -07:00
syncookies.c
net: support marking accepting TCP sockets
2014-05-13 18:35:09 -04:00
sysctl_net_ipv4.c
ipv4: make ip_local_reserved_ports per netns
2014-05-14 15:31:45 -04:00
tcp_bic.c
tcp: remove in_flight parameter from cong_avoid() methods
2014-05-03 19:23:07 -04:00
tcp_cong.c
tcp: remove in_flight parameter from cong_avoid() methods
2014-05-03 19:23:07 -04:00
tcp_cubic.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2014-05-12 13:19:14 -04:00
tcp_diag.c
tcp_fastopen.c
tcp: remove unnecessary tcp_sk assignment.
2014-06-16 21:35:00 -07:00
tcp_highspeed.c
tcp: remove in_flight parameter from cong_avoid() methods
2014-05-03 19:23:07 -04:00
tcp_htcp.c
tcp: remove in_flight parameter from cong_avoid() methods
2014-05-03 19:23:07 -04:00
tcp_hybla.c
tcp: remove in_flight parameter from cong_avoid() methods
2014-05-03 19:23:07 -04:00
tcp_illinois.c
tcp: remove in_flight parameter from cong_avoid() methods
2014-05-03 19:23:07 -04:00
tcp_input.c
tcp: fix false undo corner cases
2014-07-07 21:40:48 -07:00
tcp_ipv4.c
net: support marking accepting TCP sockets
2014-05-13 18:35:09 -04:00
tcp_lp.c
tcp: remove in_flight parameter from cong_avoid() methods
2014-05-03 19:23:07 -04:00
tcp_memcontrol.c
cgroup: replace cftype->trigger() with cftype->write()
2014-05-13 12:16:21 -04:00
tcp_metrics.c
net: use the new API kvfree()
2014-06-05 00:49:51 -07:00
tcp_minisocks.c
tcp: use tcp_v4_send_synack on first SYN-ACK
2014-05-13 17:53:02 -04:00
tcp_offload.c
net-gre-gro: Fix a bug that breaks the forwarding path
2014-07-16 14:45:26 -07:00
tcp_output.c
tcp: fix false undo corner cases
2014-07-07 21:40:48 -07:00
tcp_probe.c
tcp: switch rtt estimations to usec resolution
2014-02-26 17:08:40 -05:00
tcp_scalable.c
tcp: remove in_flight parameter from cong_avoid() methods
2014-05-03 19:23:07 -04:00
tcp_timer.c
tcp: snmp stats for Fast Open, SYN rtx, and data pkts
2014-03-03 15:58:03 -05:00
tcp_vegas.c
tcp: remove in_flight parameter from cong_avoid() methods
2014-05-03 19:23:07 -04:00
tcp_vegas.h
net: ipv4/ipv6: Remove extern from function prototypes
2013-10-19 19:12:11 -04:00
tcp_veno.c
tcp: remove in_flight parameter from cong_avoid() methods
2014-05-03 19:23:07 -04:00
tcp_westwood.c
tcp: remove unused min_cwnd member of tcp_congestion_ops
2014-02-13 18:22:34 -05:00
tcp_yeah.c
tcp: remove in_flight parameter from cong_avoid() methods
2014-05-03 19:23:07 -04:00
tcp.c
tcp: Fix divide by zero when pushing during tcp-repair
2014-07-02 18:21:03 -07:00
tunnel4.c
net: Convert printks to pr_<level>
2012-03-11 23:42:51 -07:00
udp_diag.c
netlink: rename ssk to sk in struct netlink_skb_params
2013-04-19 14:57:56 -04:00
udp_impl.h
net: ipv4/ipv6: Remove extern from function prototypes
2013-10-19 19:12:11 -04:00
udp_offload.c
net: Add skb_gro_postpull_rcsum to udp and vxlan
2014-06-11 15:46:13 -07:00
udp.c
udp: Add MIB counters for rcvbuferrors
2014-06-27 00:20:55 -07:00
udplite.c
net: Eliminate no_check from protosw
2014-05-23 16:28:53 -04:00
xfrm4_input.c
xfrm4: Add IPsec protocol multiplexer
2014-02-25 07:04:16 +01:00
xfrm4_mode_beet.c
ipv4: ERROR: code indent should use tabs where possible
2013-12-26 13:43:21 -05:00
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c
inetpeer: get rid of ip_id_count
2014-06-02 11:00:41 -07:00
xfrm4_output.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2014-05-24 00:32:30 -04:00
xfrm4_policy.c
xfrm: Introduce xfrm_input_afinfo to access the the callbacks properly
2014-03-14 07:28:07 +01:00
xfrm4_protocol.c
xfrm4: Properly handle unsupported protocols
2014-04-29 08:41:12 +02:00
xfrm4_state.c
inet: make no_pmtu_disc per namespace and kill ipv4_config
2013-12-18 16:58:20 -05:00
xfrm4_tunnel.c
sit: add IPv4 over IPv4 support
2013-05-31 17:19:05 -07:00