[From https://code.google.com/p/google-security-research/issues/detail?id=758 ]
A recent refactoring cof this codepath (https://github.com/torvalds/linux/commit/2e4e6a17af35be359cc8f1c924f8f198fbd478cc) introduced an integer overflow in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption.
More specifically, the overflow may have been introduced in https://github.com/torvalds/linux/commit/711bdde6a884354ddae8da2fcb495b2a9364cc90 ; specifically the bit:
+ size_t sz = sizeof(*info) + size;
(where size is an unsigned int passed from userspace).
This issue should only affect 32bit platforms (xt_table_info.size is an unsigned int).
[From https:/ /code.google. com/p/google- security- research/ issues/ detail? id=758 ]
A recent refactoring cof this codepath (https:/ /github. com/torvalds/ linux/commit/ 2e4e6a17af35be3 59cc8f1c924f8f1 98fbd478cc) introduced an integer overflow in xt_alloc_ table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption.
More specifically, the overflow may have been introduced in https:/ /github. com/torvalds/ linux/commit/ 711bdde6a884354 ddae8da2fcb495b 2a9364cc90 ; specifically the bit:
+ size_t sz = sizeof(*info) + size;
(where size is an unsigned int passed from userspace).
This issue should only affect 32bit platforms (xt_table_info.size is an unsigned int).