There is a benign buffer overflow in ip_options_compile spotted by
AddressSanitizer[1] :
Its benign because we always can access one extra byte in skb->head
(because header is followed by struct skb_shared_info), and in this case
this byte is not even used.
[28504.910798] ==================================================================
[28504.912046] AddressSanitizer: heap-buffer-overflow in ip_options_compile
[28504.913170] Read of size 1 by thread T15843:
[28504.914026] [<
ffffffff81802f91>] ip_options_compile+0x121/0x9c0
[28504.915394] [<
ffffffff81804a0d>] ip_options_get_from_user+0xad/0x120
[28504.916843] [<
ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
[28504.918175] [<
ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
[28504.919490] [<
ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
[28504.920835] [<
ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
[28504.922208] [<
ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
[28504.923459] [<
ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
[28504.924722]
[28504.925106] Allocated by thread T15843:
[28504.925815] [<
ffffffff81804995>] ip_options_get_from_user+0x35/0x120
[28504.926884] [<
ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
[28504.927975] [<
ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
[28504.929175] [<
ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
[28504.930400] [<
ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
[28504.931677] [<
ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
[28504.932851] [<
ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
[28504.934018]
[28504.934377] The buggy address
ffff880026382828 is located 0 bytes to the right
[28504.934377] of 40-byte region [
ffff880026382800,
ffff880026382828)
[28504.937144]
[28504.937474] Memory state around the buggy address:
[28504.938430]
ffff880026382300: ........ rrrrrrrr rrrrrrrr rrrrrrrr
[28504.939884]
ffff880026382400:
ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.941294]
ffff880026382500: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
[28504.942504]
ffff880026382600:
ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.943483]
ffff880026382700:
ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.944511] >
ffff880026382800: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
[28504.945573] ^
[28504.946277]
ffff880026382900:
ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.094949]
ffff880026382a00:
ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.096114]
ffff880026382b00:
ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.097116]
ffff880026382c00:
ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.098472]
ffff880026382d00:
ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.099804] Legend:
[28505.100269] f - 8 freed bytes
[28505.100884] r - 8 redzone bytes
[28505.101649] . - 8 allocated bytes
[28505.102406] x=1..7 - x allocated bytes + (8-x) redzone bytes
[28505.103637] ==================================================================
[1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>