lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Apr 2015 14:49:40 +0200 From: Jiri Slaby <jslaby@...e.cz> To: stable@...r.kernel.org Cc: linux-kernel@...r.kernel.org, Catalin Marinas <catalin.marinas@....com>, "David S. Miller" <davem@...emloft.net>, Dan Carpenter <dan.carpenter@...cle.com>, Jiri Slaby <jslaby@...e.cz> Subject: [PATCH 3.12 011/155] net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour From: Catalin Marinas <catalin.marinas@....com> 3.12-stable review patch. If anyone has any objections, please let me know. =============== [ Upstream commit 91edd096e224941131f896b86838b1e59553696a ] Commit db31c55a6fb2 (net: clamp ->msg_namelen instead of returning an error) introduced the clamping of msg_namelen when the unsigned value was larger than sizeof(struct sockaddr_storage). This caused a msg_namelen of -1 to be valid. The native code was subsequently fixed by commit dbb490b96584 (net: socket: error on a negative msg_namelen). In addition, the native code sets msg_namelen to 0 when msg_name is NULL. This was done in commit (6a2a2b3ae075 net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland) and subsequently updated by 08adb7dabd48 (fold verify_iovec() into copy_msghdr_from_user()). This patch brings the get_compat_msghdr() in line with copy_msghdr_from_user(). Fixes: db31c55a6fb2 (net: clamp ->msg_namelen instead of returning an error) Cc: David S. Miller <davem@...emloft.net> Cc: Dan Carpenter <dan.carpenter@...cle.com> Signed-off-by: Catalin Marinas <catalin.marinas@....com> Signed-off-by: David S. Miller <davem@...emloft.net> Signed-off-by: Jiri Slaby <jslaby@...e.cz> --- net/compat.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/compat.c b/net/compat.c index 275af79c131b..d12529050b29 100644 --- a/net/compat.c +++ b/net/compat.c @@ -71,6 +71,13 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) __get_user(kmsg->msg_controllen, &umsg->msg_controllen) || __get_user(kmsg->msg_flags, &umsg->msg_flags)) return -EFAULT; + + if (!tmp1) + kmsg->msg_namelen = 0; + + if (kmsg->msg_namelen < 0) + return -EINVAL; + if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) kmsg->msg_namelen = sizeof(struct sockaddr_storage); kmsg->msg_name = compat_ptr(tmp1); -- 2.3.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists