From patchwork Sun Dec 10 03:50:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: simo.ghannam@gmail.com X-Patchwork-Id: 846641 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="lEqnSvcV"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3yvXXV6H3dz9sNc for ; Sun, 10 Dec 2017 15:04:26 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751374AbdLJDvN (ORCPT ); Sat, 9 Dec 2017 22:51:13 -0500 Received: from mail-wr0-f194.google.com ([209.85.128.194]:45500 "EHLO mail-wr0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751358AbdLJDvM (ORCPT ); Sat, 9 Dec 2017 22:51:12 -0500 Received: by mail-wr0-f194.google.com with SMTP id h1so14222144wre.12 for ; Sat, 09 Dec 2017 19:51:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:from:to:cc:subject:date; bh=54+ApyS7IndRSY6zxu/rPwfPHGlMQa7rSIpNS5QMPnk=; b=lEqnSvcVo2CcpksfWCutrpQ/GhYQ7o/v7BAaNlBKor+PN1/5ojd4EZ9lfulesgHbcu Bs5g53wgJlH55YtIAD7Nz8wtd2wxFUeVDwfK4sx9M/BCIoS25sZ3UOeCg8y2QTIlgIX9 hhFg4g/vz3Hq6LQ+kcNKrRo/hmIjmn/I13Rx50rAbSSDUET3tvOdi6dgDfEIRMrp+Jg0 8M52ptLIhOoi7j2orJ2jzZlUp51BGvZCWJoW5oU3jDZOKVMMdxxqIgBUgLIUbpeSSE24 WaTYSacM+aLPS87fpFD6zXYuKQmNvj8af1S1hVTTJbpiiEKvNX8G7Nz4S0DsSc7BhmNl iWqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:from:to:cc:subject:date; bh=54+ApyS7IndRSY6zxu/rPwfPHGlMQa7rSIpNS5QMPnk=; b=PWT4QkQmtTKgFNT1ezadwAYj/qqs1muBM3JMflNrm138UKBvjc10t+G9mlMntW/rQg sV1LEtiEKGs3REfhhMPfiSILE8y64YMdN/DLJ5HjTNT9hI3V9ixEarbRFzROUe3aaAv5 woCdF3PqX9ZITKgald0kCmW0TBsk/Kg25DiSPx5cBEb4RZPvSUAjtpnoKjYtC2toj7LV EXtkOW8zamlD7CyN71k7jrAf4Foww/rSJmMFXHR4XPdGFG3IoKL3JhEKsdD111pGgAJa oB/weS9iuL5e2Cydq6v2syksMyDugD8ULOedDFLGaU0pBp7x8VVz0McuVH3YiZvP+njo sK9A== X-Gm-Message-State: AJaThX7jKhwS2e+6Yyvj9lwZjTRjxFB0FnCEZiHr4rs92/zq9xRPxLrb 3iiEZtUsrkrhCN0zokMkQAz3xHBQ X-Google-Smtp-Source: AGs4zMbe5nKbbfU/NXQSJzq5uGDi5LE1fBITZPt/I7F2FAizOYIX/6mAYWWZ2ld3OfnhrJpSBC+ArQ== X-Received: by 10.223.130.205 with SMTP id 71mr32625811wrc.101.1512877870717; Sat, 09 Dec 2017 19:51:10 -0800 (PST) Received: from localhost.localdomain ([41.141.208.108]) by smtp.gmail.com with ESMTPSA id d73sm6462977wmh.3.2017.12.09.19.51.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 09 Dec 2017 19:51:10 -0800 (PST) Message-ID: <5a2caf2e.4ce61c0a.5017a.575f@mx.google.com> X-Google-Original-Message-ID: <20171210035058.40423-1-simo.ghannam> From: simo.ghannam@gmail.com X-Google-Original-From: simo.ghannam To: netdev@vger.kernel.org Cc: Mohamed Ghannam Subject: [PATCH] net: ipv4: fix for a race condition in raw_sendmsg Date: Sun, 10 Dec 2017 03:50:58 +0000 X-Mailer: git-send-email 2.14.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Mohamed Ghannam inet->hdrincl is racy, and could lead to uninitialized stack pointer usage, so its value should be read only once. Signed-off-by: Mohamed Ghannam Reviewed-by: Eric Dumazet --- net/ipv4/raw.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index 33b70bfd1122..125c1eab3eaa 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) int err; struct ip_options_data opt_copy; struct raw_frag_vec rfv; + int hdrincl; err = -EMSGSIZE; if (len > 0xFFFF) goto out; + /* hdrincl should be READ_ONCE(inet->hdrincl) + * but READ_ONCE() doesn't work with bit fields + */ + hdrincl = inet->hdrincl; /* * Check the flags. */ @@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) /* Linux does not mangle headers on raw sockets, * so that IP options + IP_HDRINCL is non-sense. */ - if (inet->hdrincl) + if (hdrincl) goto done; if (ipc.opt->opt.srr) { if (!daddr) @@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos, RT_SCOPE_UNIVERSE, - inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol, + hdrincl ? IPPROTO_RAW : sk->sk_protocol, inet_sk_flowi_flags(sk) | - (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), + (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), daddr, saddr, 0, 0, sk->sk_uid); - if (!inet->hdrincl) { + if (!hdrincl) { rfv.msg = msg; rfv.hlen = 0; @@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) goto do_confirm; back_from_confirm: - if (inet->hdrincl) + if (hdrincl) err = raw_send_hdrinc(sk, &fl4, msg, len, &rt, msg->msg_flags, &ipc.sockc);