Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter.

Subject

\[PATCH\] net: ipv4: current group\_info should be put after using.

From

Date

Fri, 11 Apr 2014 13:37:08 -0400

There is a memory leak in ping. Current group\_info had been got in   
ping\_init\_sock and group\_info->usage increased.   
But the usage hasn't decreased anywhere in ping.  
This will make this group\_info never freed and cause memory leak.

unreferenced object 0xcd0e8840 (size 192):  
  comm "dumpstate", pid 7583, jiffies 78360 (age 91.810s)  
  hex dump (first 32 bytes):  
    02 00 00 00 06 00 00 00 01 00 00 00 ef 03 00 00  ................  
    f1 03 00 00 f7 03 00 00 04 04 00 00 bb 0b 00 00  ................  
  backtrace:  
    \[<c1a6bbfc>\] kmemleak\_alloc+0x3c/0xa0  
    \[<c1320457>\] \_\_kmalloc+0xe7/0x1d0  
    \[<c1267c04>\] groups\_alloc+0x34/0xb0  
    \[<c1267e5c>\] SyS\_setgroups+0x3c/0xf0  
    \[<c1a864a8>\] syscall\_call+0x7/0xb  
    \[<ffffffff>\] 0xffffffff

Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>  
Signed-off-by: Zhang Dongxing <dongxing.zhang@intel.com>  
Signed-off-by: xiaoming wang <xiaoming.wang@intel.com>  
\---  
 net/ipv4/ping.c |   11 ++++++++---  
 1 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c  
index f4b19e5..2af7b1f 100644  
\--- a/net/ipv4/ping.c  
+++ b/net/ipv4/ping.c  
@@ -255,23 +255,28 @@ int ping\_init\_sock(struct sock \*sk)  
 	struct group\_info \*group\_info = get\_current\_groups();  
 	int i, j, count = group\_info->ngroups;  
 	kgid\_t low, high;  
+	int ret = 0;

  	inet\_get\_ping\_group\_range\_net(net, &low, &high);  
 	if (gid\_lte(low, group) && gid\_lte(group, high))  
\-		return 0;  
+		goto out\_release\_group;

  	for (i = 0; i < group\_info->nblocks; i++) {  
 		int cp\_count = min\_t(int, NGROUPS\_PER\_BLOCK, count);  
 		for (j = 0; j < cp\_count; j++) {  
 			kgid\_t gid = group\_info->blocks\[i\]\[j\];  
 			if (gid\_lte(low, gid) && gid\_lte(gid, high))  
\-				return 0;  
+				goto out\_release\_group;  
 		}

  		count -= cp\_count;  
 	}

 -	return -EACCES;  
+	ret = -EACCES;  
+  
+out\_release\_group:  
+	put\_group\_info(group\_info);  
+	return ret;  
 }  
 EXPORT\_SYMBOL\_GPL(ping\_init\_sock);

 --   
1.7.1

CVE-2014-2851: current group_info should be put after using.

Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c.

Tag

#xiaomi