Skip to content

Commit 79462ad

Browse files
strssndktndavem330
authored andcommitted
net: add validation for the socket syscall protocol argument
郭永刚 reported that one could simply crash the kernel as root by using a simple program: int socket_fd; struct sockaddr_in addr; addr.sin_port = 0; addr.sin_addr.s_addr = INADDR_ANY; addr.sin_family = 10; socket_fd = socket(10,3,0x40000000); connect(socket_fd , &addr,16); AF_INET, AF_INET6 sockets actually only support 8-bit protocol identifiers. inet_sock's skc_protocol field thus is sized accordingly, thus larger protocol identifiers simply cut off the higher bits and store a zero in the protocol fields. This could lead to e.g. NULL function pointer because as a result of the cut off inet_num is zero and we call down to inet_autobind, which is NULL for raw sockets. kernel: Call Trace: kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70 kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80 kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110 kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80 kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200 kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10 kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89 I found no particular commit which introduced this problem. CVE: CVE-2015-8543 Cc: Cong Wang <cwang@twopensource.com> Reported-by: 郭永刚 <guoyonggang@360.cn> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 20b08e1 commit 79462ad

File tree

6 files changed

+16
-0
lines changed

6 files changed

+16
-0
lines changed

Diff for: include/net/sock.h

+1
Original file line numberDiff line numberDiff line change
@@ -403,6 +403,7 @@ struct sock {
403403
sk_no_check_rx : 1,
404404
sk_userlocks : 4,
405405
sk_protocol : 8,
406+
#define SK_PROTOCOL_MAX U8_MAX
406407
sk_type : 16;
407408
kmemcheck_bitfield_end(flags);
408409
int sk_wmem_queued;

Diff for: net/ax25/af_ax25.c

+3
Original file line numberDiff line numberDiff line change
@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
805805
struct sock *sk;
806806
ax25_cb *ax25;
807807

808+
if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
809+
return -EINVAL;
810+
808811
if (!net_eq(net, &init_net))
809812
return -EAFNOSUPPORT;
810813

Diff for: net/decnet/af_decnet.c

+3
Original file line numberDiff line numberDiff line change
@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol,
678678
{
679679
struct sock *sk;
680680

681+
if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
682+
return -EINVAL;
683+
681684
if (!net_eq(net, &init_net))
682685
return -EAFNOSUPPORT;
683686

Diff for: net/ipv4/af_inet.c

+3
Original file line numberDiff line numberDiff line change
@@ -257,6 +257,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
257257
int try_loading_module = 0;
258258
int err;
259259

260+
if (protocol < 0 || protocol >= IPPROTO_MAX)
261+
return -EINVAL;
262+
260263
sock->state = SS_UNCONNECTED;
261264

262265
/* Look for the requested type/protocol pair. */

Diff for: net/ipv6/af_inet6.c

+3
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
109109
int try_loading_module = 0;
110110
int err;
111111

112+
if (protocol < 0 || protocol >= IPPROTO_MAX)
113+
return -EINVAL;
114+
112115
/* Look for the requested type/protocol pair. */
113116
lookup_protocol:
114117
err = -ESOCKTNOSUPPORT;

Diff for: net/irda/af_irda.c

+3
Original file line numberDiff line numberDiff line change
@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol,
10861086
struct sock *sk;
10871087
struct irda_sock *self;
10881088

1089+
if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
1090+
return -EINVAL;
1091+
10891092
if (net != &init_net)
10901093
return -EAFNOSUPPORT;
10911094

0 commit comments

Comments
 (0)