2017-11-07 17:32:46 -05:00
|
|
|
From 8e2e23126709ebffa1bd91e1a6ac77e16714d852 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Conner Huff <chuff@codeaurora.org>
|
2017-10-29 01:48:53 -04:00
|
|
|
Date: Thu, 12 Jan 2017 22:09:16 -0700
|
2017-11-07 17:32:46 -05:00
|
|
|
Subject: net: rmnet_data: Fix incorrect netlink handling
|
2017-10-29 01:48:53 -04:00
|
|
|
|
|
|
|
rmnet_data netlink handler currently does not check for the
|
|
|
|
incoming process pid and instead just loops back the pid.
|
|
|
|
A malicious root user could potentially send a message with
|
|
|
|
source pid 0 and this could cause rmnet_data to loop the message
|
|
|
|
back till an out of memory situation occurs.
|
|
|
|
|
|
|
|
rmnet_data also does not check for the message length of the
|
|
|
|
incoming netlink messages and instead casts the netlink message
|
|
|
|
without checking for the boundary.
|
|
|
|
|
|
|
|
Fix these two scenarios by adding the pid and message length checks
|
|
|
|
respectively.
|
|
|
|
|
|
|
|
Bug: 31252965
|
|
|
|
CRs-Fixed: 1098801
|
|
|
|
Change-Id: I172c1a7112e67e82959b397af7ddfd963d819bdc
|
2017-11-07 17:32:46 -05:00
|
|
|
Signed-off-by: Conner Huff <chuff@codeaurora.org>
|
2017-10-29 01:48:53 -04:00
|
|
|
---
|
2017-11-07 17:32:46 -05:00
|
|
|
net/rmnet_data/rmnet_data_config.c | 7 ++++++-
|
|
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
2017-10-29 01:48:53 -04:00
|
|
|
|
|
|
|
diff --git a/net/rmnet_data/rmnet_data_config.c b/net/rmnet_data/rmnet_data_config.c
|
2017-11-07 17:32:46 -05:00
|
|
|
index 9f5a2cc..7876b74 100644
|
2017-10-29 01:48:53 -04:00
|
|
|
--- a/net/rmnet_data/rmnet_data_config.c
|
|
|
|
+++ b/net/rmnet_data/rmnet_data_config.c
|
2017-11-07 17:32:46 -05:00
|
|
|
@@ -1,5 +1,5 @@
|
|
|
|
/*
|
|
|
|
- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
|
|
|
|
+ * Copyright (c) 2013-2015, 2017 The Linux Foundation. All rights reserved.
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License version 2 and
|
|
|
|
@@ -531,6 +531,11 @@ void rmnet_config_netlink_msg_handler(struct sk_buff *skb)
|
2017-10-29 01:48:53 -04:00
|
|
|
nlmsg_header = (struct nlmsghdr *) skb->data;
|
|
|
|
rmnet_header = (struct rmnet_nl_msg_s *) nlmsg_data(nlmsg_header);
|
|
|
|
|
|
|
|
+ if (!nlmsg_header->nlmsg_pid ||
|
|
|
|
+ (nlmsg_header->nlmsg_len < sizeof(struct nlmsghdr) +
|
|
|
|
+ sizeof(struct rmnet_nl_msg_s)))
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
LOGL("Netlink message pid=%d, seq=%d, length=%d, rmnet_type=%d",
|
|
|
|
nlmsg_header->nlmsg_pid,
|
|
|
|
nlmsg_header->nlmsg_seq,
|
2017-11-07 17:32:46 -05:00
|
|
|
--
|
|
|
|
cgit v1.1
|
|
|
|
|