lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 25 May 2013 14:04:09 +0200 From: Manfred Spraul <manfred@...orfullife.com> To: Peter Hurley <peter@...leysoftware.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: [PATCH 06/10] ipc: Don't allocate a copy larger than max Hi Peter, You wrote: > When MSG_COPY is set, a duplicate message must be allocated for > the copy before locking the queue. However, the copy could > not be larger than was sent which is limited to msg_ctlmax. > > Signed-off-by: Peter Hurley <peter@...leysoftware.com> > --- > ipc/msg.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/ipc/msg.c b/ipc/msg.c > index 950572f..31cd1bf 100644 > --- a/ipc/msg.c > +++ b/ipc/msg.c > @@ -820,15 +820,17 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, > struct msg_msg *copy = NULL; > unsigned long copy_number = 0; > > + ns = current->nsproxy->ipc_ns; > + > if (msqid < 0 || (long) bufsz < 0) > return -EINVAL; > if (msgflg & MSG_COPY) { > - copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, ©_number); > + copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax), > + msgflg, &msgtyp, ©_number); What about: - increase msg_ctlmax - send message - reduce msg_ctlmax The side effects of the patch are odd: - without MSG_COPY, a message can be read regardsless of the size. The user could check for E2BIG and increase the buffer size until msgrcv succeeds. - with MSG_COPY, something else would happen. As far as I can see, it would oops: msg_ctlmax bytes are allocated, then the E2BIG test is against bufsz, and copy_msg() doesn't check the size of the target buffer. I.e.: I would propose to revert the patch. -- Manfred -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists