Comment 0 for bug 1555353

Revision history for this message
Steve Beattie (sbeattie) wrote : integer overflow in xt_alloc_table_info

[From https://code.google.com/p/google-security-research/issues/detail?id=758 ]

A recent refactoring cof this codepath (https://github.com/torvalds/linux/commit/2e4e6a17af35be359cc8f1c924f8f198fbd478cc) introduced an integer overflow in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption.

More specifically, the overflow may have been introduced in https://github.com/torvalds/linux/commit/711bdde6a884354ddae8da2fcb495b2a9364cc90 ; specifically the bit:

  + size_t sz = sizeof(*info) + size;

(where size is an unsigned int passed from userspace).

This issue should only affect 32bit platforms (xt_table_info.size is an unsigned int).