WSL2-Linux-Kernel/drivers/s390
Julian Wiedmann 292a50e3fc s390/qeth: reject oversized SNMP requests
Commit d4c08afafa ("s390/qeth: streamline SNMP cmd code") removed
the bounds checking for req_len, under the assumption that the check in
qeth_alloc_cmd() would suffice.

But that code path isn't sufficiently robust to handle a user-provided
data_length, which could overflow (when adding the cmd header overhead)
before being checked against QETH_BUFSIZE. We end up allocating just a
tiny iob, and the subsequent copy_from_user() writes past the end of
that iob.

Special-case this path and add a coarse bounds check, to protect against
maliciuous requests. This let's the subsequent code flow do its normal
job and precise checking, without risk of overflow.

Fixes: d4c08afafa ("s390/qeth: streamline SNMP cmd code")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Reviewed-by: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-08-24 16:34:08 -07:00
..
block s390/dasd: fix endless loop after read unit address configuration 2019-08-01 20:46:14 -06:00
char s390/3215: add switch fall through comment for -Wimplicit-fallthrough 2019-07-29 18:05:03 +02:00
cio vfio-ccw: make vfio_ccw_async_region_ops static 2019-07-29 18:05:03 +02:00
crypto s390/zcrypt: adjust switch fall through comments for -Wimplicit-fallthrough 2019-08-02 13:58:23 +02:00
net s390/qeth: reject oversized SNMP requests 2019-08-24 16:34:08 -07:00
scsi SCSI fixes on 20190720 2019-07-20 10:04:58 -07:00
virtio virtio/s390: fix race on airq_areas[] 2019-07-26 13:36:18 +02:00
Makefile kbuild: rename built-in.o to built-in.a 2018-03-26 02:01:19 +09:00