diff options
| author | Kees Cook <[email protected]> | 2018-08-25 22:58:01 -0700 |
|---|---|---|
| committer | David S. Miller <[email protected]> | 2018-08-26 14:21:50 -0700 |
| commit | 98c8f125fd8a6240ea343c1aa50a1be9047791b8 (patch) | |
| tree | 89585edf9ee579356c6ec71c73ef223acbab0eba /scripts/gcc-plugins/structleak_plugin.c | |
| parent | e75d039a54090470b7a42e803fd4f9398390f907 (diff) | |
net: sched: Fix memory exposure from short TCA_U32_SEL
Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink
policy, so max length isn't enforced, only minimum. This means nkeys
(from userspace) was being trusted without checking the actual size of
nla_len(), which could lead to a memory over-read, and ultimately an
exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within
a namespace.
Reported-by: Al Viro <[email protected]>
Cc: Jamal Hadi Salim <[email protected]>
Cc: Cong Wang <[email protected]>
Cc: Jiri Pirko <[email protected]>
Cc: "David S. Miller" <[email protected]>
Cc: [email protected]
Signed-off-by: Kees Cook <[email protected]>
Acked-by: Jamal Hadi Salim <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'scripts/gcc-plugins/structleak_plugin.c')
0 files changed, 0 insertions, 0 deletions