Re: [PATCH v2] net: ping: check minimum size on ICMP header length

From: David Miller
Date: Mon Dec 05 2016 - 13:36:19 EST

Next message: David Miller: "Re: [PATCH net-next] r8169: Add support for restarting auto-negotiation"
Previous message: Netanel Belgazal: "Re: [PATCH V2 net 05/20] net/ena: fix RSS default hash configuration"
In reply to: Kees Cook: "[PATCH v2] net: ping: check minimum size on ICMP header length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Kees Cook <keescook@xxxxxxxxxxxx>
Date: Mon, 5 Dec 2016 10:34:38 -0800

> Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there
> was no check that the iovec contained enough bytes for an ICMP header,
> and the read loop would walk across neighboring stack contents. Since the
> iov_iter conversion, bad arguments are noticed, but the returned error is
> EFAULT. Returning EINVAL is a clearer error and also solves the problem
> prior to v3.19.
>
> This was found using trinity with KASAN on v3.18:
...
> CVE-2016-8399
>
> Reported-by: Qidan He <i@xxxxxxxxxxxxx>
> Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>

Applied and queued up for -stable, thanks.

Next message: David Miller: "Re: [PATCH net-next] r8169: Add support for restarting auto-negotiation"
Previous message: Netanel Belgazal: "Re: [PATCH V2 net 05/20] net/ena: fix RSS default hash configuration"
In reply to: Kees Cook: "[PATCH v2] net: ping: check minimum size on ICMP header length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]