| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 Oct 2010 08:28:38 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Dan Rosenberg <drosenberg@...curity.com>
Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org,
jon.maloy@...csson.com, allan.stephens@...driver.com,
Al Viro <viro@...iv.linux.org.uk>
Subject: Re: [PATCH] net: Limit socket I/O iovec total length to INT_MAX.
On Fri, Oct 29, 2010 at 7:00 AM, Dan Rosenberg <drosenberg@...curity.com> wrote:
>
> While you guys are at it, you might consider preventing sendto(), etc.
> calls from requesting >= 2GB data in one go.
Indeed. David - I think we have to, because that thing converts its
arguments to an iovec and then does a sendmsg, but since it's already
in kernel space it doesn't go through the verify_iovec() path.
So sendto/recvfrom (and possibly others that build their own msg
struct in kernel space) should be limited to MAX_INT too, so that
there's no back way to create a big iovec..
In fs/read_write.c, do_sync_read/write() do that iovec thing too, but
at least for the regular vfs_read()/vfs_write cases they will have
gone through rw_verify_area() first, which does the size limiting for
them.
We do need to fix the readv/writev path, though. It does the
rw_verify_area(), but it doesn't seem to limit the size to the
returned length, but still uses the original one. Hmm.
I think I'll take care of the readv/writev thing, and send it by Al to verify.
Linus
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists