linux/net/sctp
Christoph Hellwig dfd3d5266d sctp: fix slab-out-of-bounds in SCTP_DELAYED_SACK processing
This sockopt accepts two kinds of parameters, using struct
sctp_sack_info and struct sctp_assoc_value. The mentioned commit didn't
notice an implicit cast from the smaller (latter) struct to the bigger
one (former) when copying the data from the user space, which now leads
to an attempt to write beyond the buffer (because it assumes the storing
buffer is bigger than the parameter itself).

Fix it by allocating a sctp_sack_info on stack and filling it out based
on the small struct for the compat case.

Changelog stole from an earlier patch from Marcelo Ricardo Leitner.

Fixes: ebb25defdc ("sctp: pass a kernel pointer to sctp_setsockopt_delayed_ack")
Reported-by: syzbot+0e4699d000d8b874d8dc@syzkaller.appspotmail.com
Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-07-24 16:40:36 -07:00
..
associola.c sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket 2020-06-25 16:11:33 -07:00
auth.c sctp: use crypto_shash_tfm_digest() 2020-05-08 15:32:15 +10:00
bind_addr.c sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket 2020-06-25 16:11:33 -07:00
chunk.c sctp: get netns from asoc and ep base 2019-12-09 20:14:01 -08:00
debug.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
diag.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-03-12 22:34:48 -07:00
endpointola.c sctp: get netns from asoc and ep base 2019-12-09 20:14:01 -08:00
input.c sctp: Add missing annotation for sctp_err_finish() 2020-02-24 13:26:48 -08:00
inqueue.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
ipv6.c net/ipv6: remove compat_ipv6_{get,set}sockopt 2020-07-19 18:16:41 -07:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile
objcnt.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-07 11:00:14 -07:00
output.c sctp: get netns from asoc and ep base 2019-12-09 20:14:01 -08:00
outqueue.c sctp: add enabled check for path tracepoint loop. 2019-12-30 20:33:05 -08:00
primitive.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
proc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
protocol.c net/ipv4: remove compat_ip_{get,set}sockopt 2020-07-19 18:16:41 -07:00
sm_make_chunk.c Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2020-06-01 12:00:10 -07:00
sm_sideeffect.c sctp: Don't add the shutdown timer if its already been added 2020-05-19 15:46:52 -07:00
sm_statefuns.c sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed 2020-05-22 15:47:59 -07:00
sm_statetable.c sctp: remove net sctp.x_enable working as a global switch 2019-08-19 18:27:29 -07:00
socket.c sctp: fix slab-out-of-bounds in SCTP_DELAYED_SACK processing 2020-07-24 16:40:36 -07:00
stream.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-12-31 13:37:13 -08:00
stream_interleave.c sctp: get netns from asoc and ep base 2019-12-09 20:14:01 -08:00
stream_sched.c sctp: rename asoc intl_enable to asoc peer.intl_capable 2019-07-08 20:16:25 -07:00
stream_sched_prio.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
stream_sched_rr.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
sysctl.c sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
transport.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-12-31 13:37:13 -08:00
tsnmap.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
ulpevent.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
ulpqueue.c sctp: get netns from asoc and ep base 2019-12-09 20:14:01 -08:00