50 lines
1.7 KiB
Diff
50 lines
1.7 KiB
Diff
From: Eric Dumazet <edumazet@google.com>
|
|
Date: Fri, 2 Dec 2016 09:44:53 -0800
|
|
Subject: net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
|
|
Origin: https://git.kernel.org/linus/b98b0bc8c431e3ceb4b26b0dfc8db509518fb290
|
|
|
|
CAP_NET_ADMIN users should not be allowed to set negative
|
|
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
|
|
corruptions, crashes, OOM...
|
|
|
|
Note that before commit 82981930125a ("net: cleanups in
|
|
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
|
|
and SO_RCVBUF were vulnerable.
|
|
|
|
This needs to be backported to all known linux kernels.
|
|
|
|
Again, many thanks to syzkaller team for discovering this gem.
|
|
|
|
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
|
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
---
|
|
net/core/sock.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/net/core/sock.c b/net/core/sock.c
|
|
index 5e3ca41..00a074d 100644
|
|
--- a/net/core/sock.c
|
|
+++ b/net/core/sock.c
|
|
@@ -715,7 +715,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
|
|
val = min_t(u32, val, sysctl_wmem_max);
|
|
set_sndbuf:
|
|
sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
|
|
- sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
|
|
+ sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
|
|
/* Wake up sending tasks if we upped the value. */
|
|
sk->sk_write_space(sk);
|
|
break;
|
|
@@ -751,7 +751,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
|
|
* returning the value we actually used in getsockopt
|
|
* is the most desirable behavior.
|
|
*/
|
|
- sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
|
|
+ sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
|
|
break;
|
|
|
|
case SO_RCVBUFFORCE:
|
|
--
|
|
2.1.4
|
|
|