AX.25: Fix out-of-bounds read in ax25_connect() (2f2a7ffa) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_stable_linux

Commit 2f2a7ffa authored Jul 22, 2020 by

Peilin Ye Committed by David S. Miller Jul 22, 2020

AX.25: Fix out-of-bounds read in ax25_connect()



Checks on `addr_len` and `fsa->fsa_ax25.sax25_ndigis` are insufficient.
ax25_connect() can go out of bounds when `fsa->fsa_ax25.sax25_ndigis`
equals to 7 or 8. Fix it.

This issue has been reported as a KMSAN uninit-value bug, because in such
a case, ax25_connect() reaches into the uninitialized portion of the
`struct sockaddr_storage` statically allocated in __sys_connect().

It is safe to remove `fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS` because
`addr_len` is guaranteed to be less than or equal to
`sizeof(struct full_sockaddr_ax25)`.

Reported-by:  <syzbot+c82752228ed975b0a623@syzkaller.appspotmail.com>
Link: https://syzkaller.appspot.com/bug?id=55ef9d629f3b3d7d70b69558015b63b48d01af66


Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 26cb7085

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 17ad73e9
· Jul 27, 2020

mentioned in commit 17ad73e9

mentioned in commit 17ad73e941b71f3bec7523ea4e9cbc3752461c2d

Toggle commit list
mirror @mirror
mentioned in commit 253c17d9
· Aug 04, 2020

mentioned in commit 253c17d9

mentioned in commit 253c17d93abaca5d4a3269a72588f547b4b81339

Toggle commit list
mirror @mirror
mentioned in commit 0724acc5
· Aug 04, 2020

mentioned in commit 0724acc5

mentioned in commit 0724acc5660c6976c53216a5dd7a062ce15a11da

Toggle commit list
mirror @mirror
mentioned in commit c1142de6
· Aug 04, 2020

mentioned in commit c1142de6

mentioned in commit c1142de65e8f7f502896f7a5f3c25845ef5f56ac

Toggle commit list
mirror @mirror
mentioned in commit f0965dc9
· Aug 04, 2020

mentioned in commit f0965dc9

mentioned in commit f0965dc9e6b5a3e215c69c9c554081d108ff1aa2

Toggle commit list
mirror @mirror
mentioned in commit b1cd0a68
· Aug 04, 2020

mentioned in commit b1cd0a68

mentioned in commit b1cd0a68ff498c522b8adb60227f81c76a53b659

Toggle commit list
mirror @mirror
mentioned in commit c8a826b2
· Aug 04, 2020

mentioned in commit c8a826b2

mentioned in commit c8a826b20f428786adc8cb3e015d8566194008e8

Toggle commit list
mirror @mirror
mentioned in commit 9aaa5f94
· Aug 04, 2020

mentioned in commit 9aaa5f94

mentioned in commit 9aaa5f94050e7cddb4f19bb3d8f25a7589c974dd

Toggle commit list
mirror @mirror
mentioned in commit 15a9765c
· Aug 04, 2020

mentioned in commit 15a9765c

mentioned in commit 15a9765cf8dd9373913af7663fd51df6e7151d5e

Toggle commit list
mirror @mirror
mentioned in commit 2f1624fa
· Aug 04, 2020

mentioned in commit 2f1624fa

mentioned in commit 2f1624faf647dfc96bf20b7fd94bdd46902d82fd

Toggle commit list
mirror @mirror
mentioned in commit 350cffdc
· Aug 04, 2020

mentioned in commit 350cffdc

mentioned in commit 350cffdc4131014aed64fdfcb5526e21ccfe9811

Toggle commit list
mirror @mirror
mentioned in commit bbf6af4a
· Aug 04, 2020

mentioned in commit bbf6af4a

mentioned in commit bbf6af4a938a4b6f139440e6d8cd8cb76379962d

Toggle commit list
mirror @mirror
mentioned in commit 2dadee3d
· Aug 04, 2020

mentioned in commit 2dadee3d

mentioned in commit 2dadee3de93fa8ff5011d6fdbf9138784a51af23

Toggle commit list

Please register or to comment