[SRU][B][PATCH 0/1] netlink: potential shift overflow in netlink_bind()

[Andrea Righi]

Buglink: https://bugs.launchpad.net/bugs/1831103

[Impact]

The check for correctness of netlink_bind() userspace supplied parameter is
done by applying a bitmask made from ngroups shift. However if we have more
than 64 groups the shift results in an overflow causing an incorrect validation
of the netlink_bind() parameters.

This has been fixed upstream:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=91874ecf32e41b5d86a4cb9d60e0bee50d828058

And this fix has been applied to xenial, cosmic and disco (apparently only
bionic is missing it).

[Test Case]

I've been able to reproduce this problem using a script with acpid to handle
ACPI hibernate events. The script is the following:

$ cat /etc/acpi/actions/sleep.sh
#!/bin/sh
echo "1=$1 2=$2" >> /home/ubuntu/acpi-event.log

Any kernel that has the fix (xenial and cosmic for example) are logging two
events (input and netlink) when the sleep button is fired:

$ cat /home/ubuntu/acpi-event.log
1=button/sleep 2=SBTN
1=button/sleep 2=LNXSLPBN:00

The bionic kernel, instead, is logging only one event (input, netlink is lost):

$ cat /home/ubuntu/acpi-event.log
1=button/sleep 2=SBTN

[Fix]

Fix that solves this problem:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=91874ecf32e41b5d86a4cb9d60e0bee50d828058

[Regression Potential]

Upsteram fix, tested on the affected platform, all other kernel releases have
this fix applied already, so regression potential is minimal.

 af_netlink.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)