Size overflow detected in scm_detach_fds (via sys_recvmsg)
Posted: Mon Oct 19, 2015 5:44 pm
grsecurity-3.1-4.2.3-201510190716.patch
Source:
- Code: Select all
PAX: size overflow detected in function scm_detach_fds ../net/core/scm.c:309 cicus.208_135 min, count: 4, decl: msg_controllen; num: 0; context: msghdr
;
[ 9.824184] CPU: 0 PID: 634 Comm: dbus-daemon Not tainted 4.2.3-5-grsec-guest-kvm #1
[ 9.826996] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20141110_125520-cloud137 04/01/2014
[ 9.832067] 5ce08c9a23d488f9 ffffffff81f4769c 0000000000000000 ffffffff81f4769c
[ 9.835002] ffffffff81668e85 ffffffff81f4768d ffffffff81196925 0000040000000000
[ 9.837980] 0000040000000000 ffff88007c3ba170 0000000000000001 00000388c93a3644
[ 9.840944] Call Trace:
[ 9.843047] [<ffffffff81668e85>] ? dump_stack+0x40/0x56
[ 9.845590] [<ffffffff81196925>] ? report_size_overflow+0x35/0x40
[ 9.848243] [<ffffffff8154a2e1>] ? scm_detach_fds+0x2c1/0x2e0
[ 9.850773] [<ffffffff81606e91>] ? unix_stream_read_generic+0x5d1/0x900
[ 9.853435] [<ffffffff81607297>] ? unix_stream_recvmsg+0x47/0x60
[ 9.855953] [<ffffffff816034e0>] ? unix_set_peek_off+0x50/0x50
[ 9.858418] [<ffffffff81532f8e>] ? sock_recvmsg+0x4e/0x70
[ 9.860842] [<ffffffff81534fbf>] ? ___sys_recvmsg+0xef/0x230
[ 9.863271] [<ffffffff815366dd>] ? __sys_recvmsg+0x3d/0x70
[ 9.865675] [<ffffffff8166fe69>] ? entry_SYSCALL_64_fastpath+0x12/0x83
Source:
- Code: Select all
300 int cmlen = CMSG_LEN(i*sizeof(int));
301 err = put_user(SOL_SOCKET, &cm->cmsg_level);
302 if (!err)
303 err = put_user(SCM_RIGHTS, &cm->cmsg_type);
304 if (!err)
305 err = put_user(cmlen, &cm->cmsg_len);
306 if (!err) {
307 cmlen = CMSG_SPACE(i*sizeof(int));
308 msg->msg_control += cmlen;
309 msg->msg_controllen -= cmlen;
310 }