Headline
CVE-2021-3743: net: qrtr: fix another OOB Read in qrtr_endpoint_post · torvalds/linux@7e78c59
An out-of-bounds (OOB) memory read flaw was found in the Qualcomm IPC router protocol in the Linux kernel. A missing sanity check allows a local attacker to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.
Permalink
Browse files
net: qrtr: fix another OOB Read in qrtr_endpoint_post
This check was incomplete, did not consider size is 0:
if (len != ALIGN(size, 4) + hdrlen)
goto err;
if size from qrtr_hdr is 0, the result of ALIGN(size, 4) will be 0, In case of len == hdrlen and size == 0 in header this check won’t fail and
if (cb->type == QRTR\_TYPE\_NEW\_SERVER) {
/\* Remote node endpoint can bridge other distant nodes \*/
const struct qrtr\_ctrl\_pkt \*pkt = data + hdrlen;
qrtr\_node\_assign(node, le32\_to\_cpu(pkt->server.node));
}
will also read out of bound from data, which is hdrlen allocated block.
Fixes: 194ccc8 (“net: qrtr: Support decoding incoming v2 packets”) Fixes: ad9d24c (“net: qrtr: fix OOB Read in qrtr_endpoint_post”) Signed-off-by: Xiaolong Huang [email protected] Signed-off-by: David S. Miller [email protected]
- Loading branch information
Showing with 1 addition and 1 deletion.
- +1 −1 net/qrtr/qrtr.c