Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 411484 Details for
Bug 545192
=sys-kernel/hardened-sources-3.19.3: crash: PAX: size overflow detected in function _decode_session6 net/ipv6/xfrm6_policy.c:190 cicus.113_120 min, count: 10
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
0001-xfrm6-Fix-ICMPv6-and-MH-header-checks-in-_decode_ses.patch
0001-xfrm6-Fix-ICMPv6-and-MH-header-checks-in-_decode_ses.patch (text/plain), 1.83 KB, created by
Mathias Krause
on 2015-09-10 08:16:25 UTC
(
hide
)
Description:
0001-xfrm6-Fix-ICMPv6-and-MH-header-checks-in-_decode_ses.patch
Filename:
MIME Type:
Creator:
Mathias Krause
Created:
2015-09-10 08:16:25 UTC
Size:
1.83 KB
patch
obsolete
>From 6c8dda8a6314a1992bb37e161035ffccda2179cd Mon Sep 17 00:00:00 2001 >From: Mathias Krause <mathias.krause@secunet.com> >Date: Thu, 10 Sep 2015 09:52:02 +0200 >Subject: [PATCH] xfrm6: Fix ICMPv6 and MH header checks in _decode_session6 > >Ensure there's enough data left prior calling pskb_may_pull(). Otherwise >we'll call it with a negative value converted to unsigned int -- leading >to a huge positive value. > >It doesn't matter in practice as pskb_may_pull() will likely fail >anyway, but it leads to underflow reports on kernels handling such kind >of over-/underflows, e.g. a PaX enabled kernel instrumented with the >size_overflow plugin. > >Reported-by: satmd <satmd@lain.at> >Reported-by: Marcin Jurkowski <marcin1j@gmail.com> >Signed-off-by: Mathias Krause <mathias.krause@secunet.com> >Cc: PaX Team <pageexec@freemail.hu> >--- > net/ipv6/xfrm6_policy.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > >diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c >index ed0583c1b9fc..c988c3f033cf 100644 >--- a/net/ipv6/xfrm6_policy.c >+++ b/net/ipv6/xfrm6_policy.c >@@ -174,7 +174,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) > return; > > case IPPROTO_ICMPV6: >- if (!onlyproto && pskb_may_pull(skb, nh + offset + 2 - skb->data)) { >+ if (!onlyproto && (nh + offset + 2 < skb->data || >+ pskb_may_pull(skb, nh + offset + 2 - skb->data))) { > u8 *icmp; > > nh = skb_network_header(skb); >@@ -188,7 +189,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) > #if IS_ENABLED(CONFIG_IPV6_MIP6) > case IPPROTO_MH: > offset += ipv6_optlen(exthdr); >- if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) { >+ if (!onlyproto && (nh + offset + 3 < skb->data || >+ pskb_may_pull(skb, nh + offset + 3 - skb->data))) { > struct ip6_mh *mh; > > nh = skb_network_header(skb); >-- >2.1.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 545192
: 411484