On Fri, Oct 18, 2019 at 12:06:47PM -0700, Zubin Mithra wrote: > From: Kees Cook <keescook@xxxxxxxxxxxx> > > commit 98c8f125fd8a6240ea343c1aa50a1be9047791b8 upstream > > Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink > policy, so max length isn't enforced, only minimum. This means nkeys > (from userspace) was being trusted without checking the actual size of > nla_len(), which could lead to a memory over-read, and ultimately an > exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within > a namespace. > > Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > Cc: Jamal Hadi Salim <jhs@xxxxxxxxxxxx> > Cc: Cong Wang <xiyou.wangcong@xxxxxxxxx> > Cc: Jiri Pirko <jiri@xxxxxxxxxxx> > Cc: "David S. Miller" <davem@xxxxxxxxxxxxx> > Cc: netdev@xxxxxxxxxxxxxxx > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> > Acked-by: Jamal Hadi Salim <jhs@xxxxxxxxxxxx> > Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> > Signed-off-by: Zubin Mithra <zsm@xxxxxxxxxxxx> > --- > Notes: > * Syzkaller triggered an OOB read in u32_change with the following Now queued up, thanks. greg k-h
