summaryrefslogtreecommitdiff
path: root/lib/rhashtable.c
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2018-08-26 08:58:01 +0300
committerDavid S. Miller <davem@davemloft.net>2018-08-27 00:21:50 +0300
commit98c8f125fd8a6240ea343c1aa50a1be9047791b8 (patch)
tree89585edf9ee579356c6ec71c73ef223acbab0eba /lib/rhashtable.c
parente75d039a54090470b7a42e803fd4f9398390f907 (diff)
downloadlinux-98c8f125fd8a6240ea343c1aa50a1be9047791b8.tar.xz
net: sched: Fix memory exposure from short TCA_U32_SEL
Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink policy, so max length isn't enforced, only minimum. This means nkeys (from userspace) was being trusted without checking the actual size of nla_len(), which could lead to a memory over-read, and ultimately an exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within a namespace. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Cc: Jamal Hadi Salim <jhs@mojatatu.com> Cc: Cong Wang <xiyou.wangcong@gmail.com> Cc: Jiri Pirko <jiri@resnulli.us> Cc: "David S. Miller" <davem@davemloft.net> Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'lib/rhashtable.c')
0 files changed, 0 insertions, 0 deletions