lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20130319.094240.1315516663563952557.davem@davemloft.net>
Date:	Tue, 19 Mar 2013 09:42:40 -0400 (EDT)
From:	David Miller <davem@...emloft.net>
To:	dan.carpenter@...cle.com
Cc:	dhowells@...hat.com, netdev@...r.kernel.org,
	kernel-janitors@...r.kernel.org
Subject: Re: [patch] RxRPC: use copy_to_user() instead of memcpy()

From: Dan Carpenter <dan.carpenter@...cle.com>
Date: Mon, 18 Mar 2013 13:55:03 +0300

> This is a user pointer.  Changing the memcpy() to copy_to_user()
> fixes a hang on my system.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> ---
> I'm not very familiar with this code, so please review this
> carefully.

It really should be a kernel pointer, not a user pointer.

For example, look at how recvfrom() cooks up a recvmsg method
call:

	struct sockaddr_storage address;
 ...
	msg.msg_name = (struct sockaddr *)&address;
	msg.msg_namelen = sizeof(address);
 ...
	err = sock_recvmsg(sock, &msg, size, flags);

recvmsg() proper works similarly, copying the user msghdr into a
kernel space copy via verify_iovec() or verify_compat_iovec() (and
I can understand how it's not obvious that this is the function
that performs this operation).

>  		/* copy the peer address and timestamp */
>  		if (!continue_call) {
> -			if (msg->msg_name && msg->msg_namelen > 0)
> -				memcpy(msg->msg_name,
> -				       &call->conn->trans->peer->srx,
> -				       sizeof(call->conn->trans->peer->srx));

I bet the size is too large for a sockaddr_storage, and therefore we
spam the kernel stack.  So I can only guess that changing this to a
copy_to_user() fixes the hang because it simply faults on the kernel
destination address.

->srx should be a "struct sockaddr_rxrpc" but that doesn't appear to
exceed the 128-byte size of sockaddr_storage.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ