From: Hannes Frederic Sowa Date: Mon, 14 Dec 2015 21:03:39 +0000 (+0100) Subject: net: add validation for the socket syscall protocol argument X-Git-Tag: v2.6.32.70~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be9b6c294668e0686e8ac69f617c6c1963a91472;p=thirdparty%2Fkernel%2Fstable.git net: add validation for the socket syscall protocol argument commit 79462ad02e861803b3840cc782248c7359451cd9 upstream. 郭永刚 reported that one could simply crash the kernel as root by using a simple program: int socket_fd; struct sockaddr_in addr; addr.sin_port = 0; addr.sin_addr.s_addr = INADDR_ANY; addr.sin_family = 10; socket_fd = socket(10,3,0x40000000); connect(socket_fd , &addr,16); AF_INET, AF_INET6 sockets actually only support 8-bit protocol identifiers. inet_sock's skc_protocol field thus is sized accordingly, thus larger protocol identifiers simply cut off the higher bits and store a zero in the protocol fields. This could lead to e.g. NULL function pointer because as a result of the cut off inet_num is zero and we call down to inet_autobind, which is NULL for raw sockets. kernel: Call Trace: kernel: [] ? inet_autobind+0x2e/0x70 kernel: [] inet_dgram_connect+0x54/0x80 kernel: [] SYSC_connect+0xd9/0x110 kernel: [] ? ptrace_notify+0x5b/0x80 kernel: [] ? syscall_trace_enter_phase2+0x108/0x200 kernel: [] SyS_connect+0xe/0x10 kernel: [] tracesys_phase2+0x84/0x89 I found no particular commit which introduced this problem. CVE: CVE-2015-8543 Cc: Cong Wang Reported-by: 郭永刚 Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller [bwh: Backported to 2.6.32: open-code U8_MAX; adjust context] Signed-off-by: Ben Hutchings Signed-off-by: Willy Tarreau --- diff --git a/include/net/sock.h b/include/net/sock.h index 78adf52ca2785..0de7d227704fd 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -230,6 +230,7 @@ struct sock { sk_no_check : 2, sk_userlocks : 4, sk_protocol : 8, +#define SK_PROTOCOL_MAX ((u8)~0U) sk_type : 16; kmemcheck_bitfield_end(flags); int sk_rcvbuf; diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 6b9d62b5d8205..c1cf94025628b 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol) struct sock *sk; ax25_cb *ax25; + if (protocol < 0 || protocol > SK_PROTOCOL_MAX) + return -EINVAL; + if (net != &init_net) return -EAFNOSUPPORT; diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c index 5df7b5453556b..7bb3fc397eea8 100644 --- a/net/decnet/af_decnet.c +++ b/net/decnet/af_decnet.c @@ -679,6 +679,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol) { struct sock *sk; + if (protocol < 0 || protocol > SK_PROTOCOL_MAX) + return -EINVAL; + if (net != &init_net) return -EAFNOSUPPORT; diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index d1992a4d166ab..2b9b83e1602ff 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -273,6 +273,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol) int try_loading_module = 0; int err; + if (protocol < 0 || protocol >= IPPROTO_MAX) + return -EINVAL; + if (unlikely(!inet_ehash_secret)) if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM) build_ehash_secret(); diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index 835590d68876b..02d6175b42f72 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -107,6 +107,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol) int try_loading_module = 0; int err; + if (protocol < 0 || protocol >= IPPROTO_MAX) + return -EINVAL; + if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM && !inet_ehash_secret) diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c index 7cb7613d2ec7f..30ffff85155f7 100644 --- a/net/irda/af_irda.c +++ b/net/irda/af_irda.c @@ -1069,6 +1069,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol) IRDA_DEBUG(2, "%s()\n", __func__); + if (protocol < 0 || protocol > SK_PROTOCOL_MAX) + return -EINVAL; + if (net != &init_net) return -EAFNOSUPPORT;