Commit cacc0621 authored Nov 30, 2015 by Marcelo Ricardo Leitner Committed by David S. Miller Dec 02, 2015

sctp: use GFP_USER for user-controlled kmalloc

Dmitry Vyukov reported that the user could trigger a kernel warning by
using a large len value for getsockopt SCTP_GET_LOCAL_ADDRS, as that
value directly affects the value used as a kmalloc() parameter.

This patch thus switches the allocation flags from all user-controllable
kmalloc size to GFP_USER to put some more restrictions on it and also
disables the warn, as they are not necessary.

Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 38ee8fb6

net/sctp/socket.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -972,7 +972,7 @@ static int sctp_setsockopt_bindx(struct sock *sk,
		return -EFAULT;

		/* Alloc space for the address array in kernel memory. */
		kaddrs = kmalloc(addrs_size, GFP_KERNEL);
		kaddrs = kmalloc(addrs_size, GFP_USER \| __GFP_NOWARN);
		if (unlikely(!kaddrs))
		return -ENOMEM;

		@@ -4928,7 +4928,7 @@ static int sctp_getsockopt_local_addrs(struct sock *sk, int len,
		to = optval + offsetof(struct sctp_getaddrs, addrs);
		space_left = len - offsetof(struct sctp_getaddrs, addrs);

		addrs = kmalloc(space_left, GFP_KERNEL);
		addrs = kmalloc(space_left, GFP_USER \| __GFP_NOWARN);
		if (!addrs)
		return -ENOMEM;