[ 083/143] net: clamp ->msg_namelen instead of returning an error

From: Willy Tarreau
Date: Sun May 11 2014 - 22:12:27 EST

Next message: Willy Tarreau: "[ 110/143] rds: prevent dereference of a NULL device in rds_iw_laddr_check"
Previous message: Willy Tarreau: "[ 107/143] net: socket: error on a negative msg_namelen"
Next in thread: Dan Carpenter: "Re: [ 083/143] net: clamp ->msg_namelen instead of returning an error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.32-longterm review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

[ Upstream commit db31c55a6fb245fdbb752a2ca4aefec89afabb06 ]

If kmsg->msg_namelen > sizeof(struct sockaddr_storage) then in the
original code that would lead to memory corruption in the kernel if you
had audit configured. If you didn't have audit configured it was
harmless.

There are some programs such as beta versions of Ruby which use too
large of a buffer and returning an error code breaks them. We should
clamp the ->msg_namelen value instead.

Fixes: 1661bf364ae9 ("net: heap overflow in __audit_sockaddr()")
Reported-by: Eric Wong <normalperson@xxxxxxxx>
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Tested-by: Eric Wong <normalperson@xxxxxxxx>
Acked-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Willy Tarreau <w@xxxxxx>
---
net/compat.c | 2 +-
net/socket.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/compat.c b/net/compat.c
index d325d16..e9672c8 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -70,7 +70,7 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
__get_user(kmsg->msg_flags, &umsg->msg_flags))
return -EFAULT;
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
- return -EINVAL;
+ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
kmsg->msg_name = compat_ptr(tmp1);
kmsg->msg_iov = compat_ptr(tmp2);
kmsg->msg_control = compat_ptr(tmp3);
diff --git a/net/socket.c b/net/socket.c
index 712f977..0823497 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1872,7 +1872,7 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
return -EFAULT;
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
- return -EINVAL;
+ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
return 0;
}

--
1.7.12.2.21.g234cd45.dirty

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Willy Tarreau: "[ 110/143] rds: prevent dereference of a NULL device in rds_iw_laddr_check"
Previous message: Willy Tarreau: "[ 107/143] net: socket: error on a negative msg_namelen"
Next in thread: Dan Carpenter: "Re: [ 083/143] net: clamp ->msg_namelen instead of returning an error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]