| Message ID | 20090926212302.0ce64a5c@infradead.org |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
[Arjan van de Ven - Sat, Sep 26, 2009 at 09:23:02PM +0200] ... | | goof once goof twice, make it sizeof.. that's nicer. | yeah, I was about to propose the same :) ... - Cyrill -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Arjan van de Ven <arjan@infradead.org> Date: Sat, 26 Sep 2009 21:23:02 +0200 > The sys_socketcall() function has a very clever system for the copy > size of its arguments. Unfortunately, gcc cannot deal with this in > terms of proving that the copy_from_user() is then always in bounds. > This is the last (well 9th of this series, but last in the kernel) such > case around. > > With this patch, we can turn on code to make having the boundary provably > right for the whole kernel, and detect introduction of new security > accidents of this type early on. > > Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/socket.c b/net/socket.c index 49917a1..13a8d67 100644 --- a/net/socket.c +++ b/net/socket.c @@ -2098,12 +2098,17 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) unsigned long a[6]; unsigned long a0, a1; int err; + unsigned int len; if (call < 1 || call > SYS_ACCEPT4) return -EINVAL; + len = nargs[call]; + if (len > sizeof(a)) + return -EINVAL; + /* copy_from_user should be SMP safe. */ - if (copy_from_user(a, args, nargs[call])) + if (copy_from_user(a, args, len)) return -EFAULT; audit_socketcall(nargs[call] / sizeof(unsigned long), a);