From: Kees Cook <keesc...@chromium.org> Date: Mon, 5 Dec 2016 10:34:38 -0800
> Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there > was no check that the iovec contained enough bytes for an ICMP header, > and the read loop would walk across neighboring stack contents. Since the > iov_iter conversion, bad arguments are noticed, but the returned error is > EFAULT. Returning EINVAL is a clearer error and also solves the problem > prior to v3.19. > > This was found using trinity with KASAN on v3.18: ... > CVE-2016-8399 > > Reported-by: Qidan He <i...@flanker017.me> > Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") > Cc: sta...@vger.kernel.org > Signed-off-by: Kees Cook <keesc...@chromium.org> Applied and queued up for -stable, thanks.