https://github.com/torvalds/linux
Revision 1c95df85ca49640576de2f0a850925957b547b84 authored by Neal Cardwell on 08 December 2012, 19:43:21 UTC, committed by David S. Miller on 09 December 2012, 23:59:37 UTC
Fix inet_diag to be aware of the fact that AF_INET6 TCP connections instantiated for IPv4 traffic and in the SYN-RECV state were actually created with inet_reqsk_alloc(), instead of inet6_reqsk_alloc(). This means that for such connections inet6_rsk(req) returns a pointer to a random spot in memory up to roughly 64KB beyond the end of the request_sock. With this bug, for a server using AF_INET6 TCP sockets and serving IPv4 traffic, an inet_diag user like `ss state SYN-RECV` would lead to inet_diag_fill_req() causing an oops or the export to user space of 16 bytes of kernel memory as a garbage IPv6 address, depending on where the garbage inet6_rsk(req) pointed. Signed-off-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent ed23ec4
Tip revision: 1c95df85ca49640576de2f0a850925957b547b84 authored by Neal Cardwell on 08 December 2012, 19:43:21 UTC
inet_diag: fix oops for IPv4 AF_INET6 TCP SYN-RECV state
inet_diag: fix oops for IPv4 AF_INET6 TCP SYN-RECV state
Tip revision: 1c95df8
| File | Mode | Size |
|---|---|---|
| partitions | ||
| Kconfig | -rw-r--r-- | 3.2 KB |
| Kconfig.iosched | -rw-r--r-- | 1.6 KB |
| Makefile | -rw-r--r-- | 720 bytes |
| blk-cgroup.c | -rw-r--r-- | 24.2 KB |
| blk-cgroup.h | -rw-r--r-- | 13.6 KB |
| blk-core.c | -rw-r--r-- | 81.0 KB |
| blk-exec.c | -rw-r--r-- | 3.2 KB |
| blk-flush.c | -rw-r--r-- | 13.1 KB |
| blk-integrity.c | -rw-r--r-- | 11.5 KB |
| blk-ioc.c | -rw-r--r-- | 10.2 KB |
| blk-iopoll.c | -rw-r--r-- | 5.9 KB |
| blk-lib.c | -rw-r--r-- | 6.9 KB |
| blk-map.c | -rw-r--r-- | 8.2 KB |
| blk-merge.c | -rw-r--r-- | 12.7 KB |
| blk-settings.c | -rw-r--r-- | 26.3 KB |
| blk-softirq.c | -rw-r--r-- | 4.5 KB |
| blk-sysfs.c | -rw-r--r-- | 15.5 KB |
| blk-tag.c | -rw-r--r-- | 9.7 KB |
| blk-throttle.c | -rw-r--r-- | 30.8 KB |
| blk-timeout.c | -rw-r--r-- | 4.7 KB |
| blk.h | -rw-r--r-- | 7.1 KB |
| bsg-lib.c | -rw-r--r-- | 6.2 KB |
| bsg.c | -rw-r--r-- | 23.7 KB |
| cfq-iosched.c | -rw-r--r-- | 108.1 KB |
| compat_ioctl.c | -rw-r--r-- | 20.8 KB |
| deadline-iosched.c | -rw-r--r-- | 11.1 KB |
| elevator.c | -rw-r--r-- | 23.0 KB |
| genhd.c | -rw-r--r-- | 43.4 KB |
| ioctl.c | -rw-r--r-- | 10.7 KB |
| noop-iosched.c | -rw-r--r-- | 2.5 KB |
| partition-generic.c | -rw-r--r-- | 14.0 KB |
| scsi_ioctl.c | -rw-r--r-- | 19.6 KB |
Computing file changes ...
