1045b03e07
kmemcheck reported this: kmemcheck: Caught 16-bit read from uninitialized memory (f6c1ba30) 0500110001508abf050010000500000002017300140000006f72672e66726565 i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u ^ Pid: 3462, comm: wpa_supplicant Not tainted (2.6.27-rc3-00054-g6397ab9-dirty #13) EIP: 0060:[<c05de64a>] EFLAGS: 00010296 CPU: 0 EIP is at nla_parse+0x5a/0xf0 EAX: 00000008 EBX: fffffffd ECX: c06f16c0 EDX: 00000005 ESI: 00000010 EDI: f6c1ba30 EBP: f6367c6c ESP: c0a11e88 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 CR0: 8005003b CR2: f781cc84 CR3: 3632f000 CR4: 000006d0 DR0: c0ead9bc DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: ffff4ff0 DR7: 00000400 [<c05d4b23>] rtnl_setlink+0x63/0x130 [<c05d5f75>] rtnetlink_rcv_msg+0x165/0x200 [<c05ddf66>] netlink_rcv_skb+0x76/0xa0 [<c05d5dfe>] rtnetlink_rcv+0x1e/0x30 [<c05dda21>] netlink_unicast+0x281/0x290 [<c05ddbe9>] netlink_sendmsg+0x1b9/0x2b0 [<c05beef2>] sock_sendmsg+0xd2/0x100 [<c05bf945>] sys_sendto+0xa5/0xd0 [<c05bf9a6>] sys_send+0x36/0x40 [<c05c03d6>] sys_socketcall+0x1e6/0x2c0 [<c020353b>] sysenter_do_call+0x12/0x3f [<ffffffff>] 0xffffffff This is the line in nla_ok(): /** * nla_ok - check if the netlink attribute fits into the remaining bytes * @nla: netlink attribute * @remaining: number of bytes remaining in attribute stream */ static inline int nla_ok(const struct nlattr *nla, int remaining) { return remaining >= sizeof(*nla) && nla->nla_len >= sizeof(*nla) && nla->nla_len <= remaining; } It turns out that remaining can become negative due to alignment in nla_next(). But GCC promotes "remaining" to unsigned in the test against sizeof(*nla) above. Therefore the test succeeds, and the nla_for_each_attr() may access memory outside the received buffer. A short example illustrating this point is here: #include <stdio.h> main(void) { printf("%d\n", -1 >= sizeof(int)); } ...which prints "1". This patch adds a cast in front of the sizeof so that GCC will make a signed comparison and fix the illegal memory dereference. With the patch applied, there is no kmemcheck report. Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com> Acked-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
---|---|---|
.. | ||
9p | ||
bluetooth | ||
irda | ||
iucv | ||
netfilter | ||
netns | ||
sctp | ||
tc_act | ||
tipc | ||
act_api.h | ||
addrconf.h | ||
af_rxrpc.h | ||
af_unix.h | ||
ah.h | ||
arp.h | ||
atmclip.h | ||
ax25.h | ||
ax88796.h | ||
cfg80211.h | ||
checksum.h | ||
cipso_ipv4.h | ||
compat.h | ||
datalink.h | ||
dn_dev.h | ||
dn_fib.h | ||
dn_neigh.h | ||
dn_nsp.h | ||
dn_route.h | ||
dn.h | ||
dsfield.h | ||
dst.h | ||
esp.h | ||
fib_rules.h | ||
flow.h | ||
garp.h | ||
gen_stats.h | ||
genetlink.h | ||
icmp.h | ||
ieee80211_crypt.h | ||
ieee80211_radiotap.h | ||
ieee80211.h | ||
if_inet6.h | ||
inet6_connection_sock.h | ||
inet6_hashtables.h | ||
inet_common.h | ||
inet_connection_sock.h | ||
inet_ecn.h | ||
inet_frag.h | ||
inet_hashtables.h | ||
inet_sock.h | ||
inet_timewait_sock.h | ||
inetpeer.h | ||
ip6_checksum.h | ||
ip6_fib.h | ||
ip6_route.h | ||
ip6_tunnel.h | ||
ip_fib.h | ||
ip_vs.h | ||
ip.h | ||
ipcomp.h | ||
ipconfig.h | ||
ipip.h | ||
ipv6.h | ||
ipx.h | ||
iw_handler.h | ||
lapb.h | ||
llc_c_ac.h | ||
llc_c_ev.h | ||
llc_c_st.h | ||
llc_conn.h | ||
llc_if.h | ||
llc_pdu.h | ||
llc_s_ac.h | ||
llc_s_ev.h | ||
llc_s_st.h | ||
llc_sap.h | ||
llc.h | ||
mac80211.h | ||
mip6.h | ||
ndisc.h | ||
neighbour.h | ||
net_namespace.h | ||
netdma.h | ||
netevent.h | ||
netlabel.h | ||
netlink.h | ||
netrom.h | ||
nexthop.h | ||
p8022.h | ||
pkt_cls.h | ||
pkt_sched.h | ||
protocol.h | ||
psnap.h | ||
raw.h | ||
rawv6.h | ||
red.h | ||
request_sock.h | ||
rose.h | ||
route.h | ||
rtnetlink.h | ||
sch_generic.h | ||
scm.h | ||
slhc_vj.h | ||
snmp.h | ||
sock.h | ||
stp.h | ||
syncppp.h | ||
tcp_states.h | ||
tcp.h | ||
timewait_sock.h | ||
transp_v6.h | ||
udp.h | ||
udplite.h | ||
wext.h | ||
wireless.h | ||
x25.h | ||
x25device.h | ||
xfrm.h |