Commit 864745d291b5ba80ea0bd0edcbe67273de368836
Committed by
David S. Miller
David S. Miller
1 parent
2c20cbd7e3
Exists in
smarc-l5.0.0_1.0.0-ga
and in
5 other branches
xfrm_user: return error pointer instead of NULL
When dump_one_state() returns an error, e.g. because of a too small buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL instead of an error pointer. But its callers expect an error pointer and therefore continue to operate on a NULL skbuff. This could lead to a privilege escalation (execution of user code in kernel context) if the attacker has CAP_NET_ADMIN and is able to map address 0. Signed-off-by: Mathias Krause <minipli@googlemail.com> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 4 additions and 2 deletions Side-by-side Diff
net/xfrm/xfrm_user.c
| ... | ... | @@ -878,6 +878,7 @@ |
| 878 | 878 | { |
| 879 | 879 | struct xfrm_dump_info info; |
| 880 | 880 | struct sk_buff *skb; |
| 881 | + int err; | |
| 881 | 882 | |
| 882 | 883 | skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); |
| 883 | 884 | if (!skb) |
| 884 | 885 | |
| ... | ... | @@ -888,9 +889,10 @@ |
| 888 | 889 | info.nlmsg_seq = seq; |
| 889 | 890 | info.nlmsg_flags = 0; |
| 890 | 891 | |
| 891 | - if (dump_one_state(x, 0, &info)) { | |
| 892 | + err = dump_one_state(x, 0, &info); | |
| 893 | + if (err) { | |
| 892 | 894 | kfree_skb(skb); |
| 893 | - return NULL; | |
| 895 | + return ERR_PTR(err); | |
| 894 | 896 | } |
| 895 | 897 | |
| 896 | 898 | return skb; |