From patchwork Fri Dec 12 17:16:24 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 420592 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 5355214011B; Sat, 13 Dec 2014 04:16:46 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1XzTpX-0003wp-UF; Fri, 12 Dec 2014 17:16:39 +0000 Received: from mail-wi0-f173.google.com ([209.85.212.173]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1XzTpO-0003w9-GX for kernel-team@lists.ubuntu.com; Fri, 12 Dec 2014 17:16:30 +0000 Received: by mail-wi0-f173.google.com with SMTP id r20so3198779wiv.0 for ; Fri, 12 Dec 2014 09:16:30 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Yhr3UbxSj4JH2QPtZGkTLRPHbJbTmvybWr52I9QefEs=; b=bjdM4/IBSPLuwyEzUpnpb+UN71e2nq9idnud603TgFDTG/vPWAkffxm8tpAuj5pL5H u7Y0ZMMMc6HB08kyIsgEYGrEa5eznaciOvvDEx7hEzS4dPHVgxrt/Qldehh/5d5IpVDr XZgzqXAy/JqpPoIwyGN1L5Ww+zKkjQ60boERqFLbRx35RJohPlUt7IEuTniFcnf2VEcY RL5Wk6831/aXjL5MqH3CyDqx9feLWh9aWjuxFwMJpHmPzDv+6IqfE6mDVQPzx1bM+wvW GacPWnpxHMpAzJyy9PAvQi25LB8Dyb+KgC/r9pOE4RpUbkLqXZDbhp0IklZhsncMUif/ Mp6Q== X-Gm-Message-State: ALoCoQmd/mf0YbvdgkFUJ6MrH0RPOHqUYpefdbt+GWvWUWgluPmzEdc3mxo6cXkyO7DJ33qSrrsz X-Received: by 10.194.92.37 with SMTP id cj5mr29163487wjb.81.1418404590192; Fri, 12 Dec 2014 09:16:30 -0800 (PST) Received: from localhost ([2001:470:6973:2:a998:72b5:4b63:e406]) by mx.google.com with ESMTPSA id dm10sm2677865wib.18.2014.12.12.09.16.29 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Fri, 12 Dec 2014 09:16:29 -0800 (PST) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [lucid/precise/trusty/utopic 1/1] net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland. Date: Fri, 12 Dec 2014 17:16:24 +0000 Message-Id: <1418404584-16428-2-git-send-email-apw@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1418404584-16428-1-git-send-email-apw@canonical.com> References: <1418404584-16428-1-git-send-email-apw@canonical.com> Cc: Andy Whitcroft X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Ani Sinha Linux manpage for recvmsg and sendmsg calls does not explicitly mention setting msg_namelen to 0 when msg_name passed set as NULL. When developers don't set msg_namelen member in msghdr, it might contain garbage value which will fail the validation check and sendmsg and recvmsg calls from kernel will return EINVAL. This will break old binaries and any code for which there is no access to source code. To fix this, we set msg_namelen to 0 when msg_name is passed as NULL from userland. Signed-off-by: Ani Sinha Signed-off-by: David S. Miller (cherry picked from commit 6a2a2b3ae0759843b22c929881cc184b00cc63ff) BugLink: http://bugs.launchpad.net/bugs/1335478 Signed-off-by: Andy Whitcroft --- net/socket.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/socket.c b/net/socket.c index abf56b2..6d48a43 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1988,6 +1988,9 @@ static int copy_msghdr_from_user(struct msghdr *kmsg, if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) return -EFAULT; + if (kmsg->msg_name == NULL) + kmsg->msg_namelen = 0; + if (kmsg->msg_namelen < 0) return -EINVAL;