net/packet: check length in getsockopt() called with PACKET_HDRLEN

ramosian-glider · gregkh · commit fa63895f47c9 · 2017-10-08T10:14:18.000+02:00
[ Upstream commit fd2c83b35752f0a8236b976978ad4658df14a59f ]

In the case getsockopt() is called with PACKET_HDRLEN and optlen &lt; 4
|val| remains uninitialized and the syscall may behave differently
depending on its value, and even copy garbage to userspace on certain
architectures. To fix this we now return -EINVAL if optlen is too small.

This bug has been detected with KMSAN.

Signed-off-by: Alexander Potapenko &lt;glider@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
@@ -3802,6 +3802,8 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
 	case PACKET_HDRLEN:
 		if (len > sizeof(int))
 			len = sizeof(int);
+		if (len < sizeof(int))
+			return -EINVAL;
 		if (copy_from_user(&val, optval, len))
 			return -EFAULT;
 		switch (val) {
