From patchwork Tue Jan 14 21:02:08 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 310873 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id B6EE62C007E for ; Wed, 15 Jan 2014 08:02:25 +1100 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1W3B7s-0007io-DM; Tue, 14 Jan 2014 21:02:20 +0000 Received: from mail-wi0-f174.google.com ([209.85.212.174]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1W3B7k-0007iF-D2 for kernel-team@lists.ubuntu.com; Tue, 14 Jan 2014 21:02:12 +0000 Received: by mail-wi0-f174.google.com with SMTP id g10so3233650wiw.7 for ; Tue, 14 Jan 2014 13:02:12 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=o2vyQzGoyWjb/0qh4GJMTJNaPskddH0/ArcSZ9otVW0=; b=ASGixxb4dlo73L1x6XzGI26XMvz9PBg4CpyTjY/+nANBXsuIzR/39pqt/QMRsQQ8wC mEUJ0vYyMsSGjXfRxN5FPefskE5NgLm2EBDhbKrTQsT/WsNs5P0n98bPJZBo7sZyqPby hNqq1CV/ICLKOzLqWXzdNtyIK/xfKzJBvWwaQj4UiRIR5TxXgWJb9UP9XiwHCFIrH9T+ UUz+Z5raEgoQHU8pV+sRcnKNb7yxIGm3PBPjoJc72V/SqDPO+0Nj7VF5fW3ezZ2ILm3j bfndCCGRM5DRMmQkg0VQ60PoZUwwSfITiF7EQQJiRVz6pk2MSQCfgCW9SrDC99YZ/QTo vJUA== X-Gm-Message-State: ALoCoQllq6WXm0P70UNw1Bj8NX1CHCtO76L/7hrSYza0fPUtE1Lqvp245n2PmSPzgqr+leplQagR X-Received: by 10.194.61.84 with SMTP id n20mr369387wjr.61.1389733332223; Tue, 14 Jan 2014 13:02:12 -0800 (PST) Received: from localhost ([2001:470:6973:2:c021:5e65:32fb:30c6]) by mx.google.com with ESMTPSA id kr10sm1548573wjc.22.2014.01.14.13.02.10 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 14 Jan 2014 13:02:11 -0800 (PST) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/1] net: clamp ->msg_namelen instead of returning an error Date: Tue, 14 Jan 2014 21:02:08 +0000 Message-Id: <1389733328-16988-2-git-send-email-apw@canonical.com> X-Mailer: git-send-email 1.8.5.2 In-Reply-To: <1389733328-16988-1-git-send-email-apw@canonical.com> References: <1389733328-16988-1-git-send-email-apw@canonical.com> Cc: Andy Whitcroft X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Dan Carpenter If kmsg->msg_namelen > sizeof(struct sockaddr_storage) then in the original code that would lead to memory corruption in the kernel if you had audit configured. If you didn't have audit configured it was harmless. There are some programs such as beta versions of Ruby which use too large of a buffer and returning an error code breaks them. We should clamp the ->msg_namelen value instead. Fixes: 1661bf364ae9 ("net: heap overflow in __audit_sockaddr()") Reported-by: Eric Wong Signed-off-by: Dan Carpenter Tested-by: Eric Wong Acked-by: Eric Dumazet Signed-off-by: David S. Miller (cherry picked from commit db31c55a6fb245fdbb752a2ca4aefec89afabb06) BugLink: http://bugs.launchpad.net/bugs/1269053 Signed-off-by: Andy Whitcroft --- net/compat.c | 2 +- net/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/compat.c b/net/compat.c index 8903258..09c3d84 100644 --- a/net/compat.c +++ b/net/compat.c @@ -72,7 +72,7 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) __get_user(kmsg->msg_flags, &umsg->msg_flags)) return -EFAULT; if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) - return -EINVAL; + kmsg->msg_namelen = sizeof(struct sockaddr_storage); kmsg->msg_name = compat_ptr(tmp1); kmsg->msg_iov = compat_ptr(tmp2); kmsg->msg_control = compat_ptr(tmp3); diff --git a/net/socket.c b/net/socket.c index 4b94643..d64bfbf 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1979,7 +1979,7 @@ static int copy_msghdr_from_user(struct msghdr *kmsg, if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) return -EFAULT; if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) - return -EINVAL; + kmsg->msg_namelen = sizeof(struct sockaddr_storage); return 0; }