Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/net/core
History
Wei Yongjun 1ac70e7ad2 [NET]: Fix function put_cmsg() which may cause usr application memory overflow 
When used function put_cmsg() to copy kernel information to user 
application memory, if the memory length given by user application is 
not enough, by the bad length calculate of msg.msg_controllen, 
put_cmsg() function may cause the msg.msg_controllen to be a large 
value, such as 0xFFFFFFF0, so the following put_cmsg() can also write 
data to usr application memory even usr has no valid memory to store 
this. This may cause usr application memory overflow.

int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
{
    struct cmsghdr __user *cm
        = (__force struct cmsghdr __user *)msg->msg_control;
    struct cmsghdr cmhdr;
    int cmlen = CMSG_LEN(len);
    ~~~~~~~~~~~~~~~~~~~~~
    int err;

    if (MSG_CMSG_COMPAT & msg->msg_flags)
        return put_cmsg_compat(msg, level, type, len, data);

    if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
        msg->msg_flags |= MSG_CTRUNC;
        return 0; /* XXX: return error? check spec. */
    }
    if (msg->msg_controllen < cmlen) {
    ~~~~~~~~~~~~~~~~~~~~~~~~
        msg->msg_flags |= MSG_CTRUNC;
        cmlen = msg->msg_controllen;
    }
    cmhdr.cmsg_level = level;
    cmhdr.cmsg_type = type;
    cmhdr.cmsg_len = cmlen;

    err = -EFAULT;
    if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
        goto out;
    if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
        goto out;
    cmlen = CMSG_SPACE(len);
~~~~~~~~~~~~~~~~~~~~~~~~~~~
    If MSG_CTRUNC flags is set, msg->msg_controllen is less than 
CMSG_SPACE(len), "msg->msg_controllen -= cmlen" will cause unsinged int 
type msg->msg_controllen to be a large value.
~~~~~~~~~~~~~~~~~~~~~~~~~~~
    msg->msg_control += cmlen;
    msg->msg_controllen -= cmlen;
    ~~~~~~~~~~~~~~~~~~~~~
    err = 0;
out:
    return err;
}

The same promble exists in put_cmsg_compat(). This patch can fix this 
problem.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
 		2007-12-20 14:36:44 -08:00
..
Makefile [NET]: Fix running without sysfs 2007-10-10 16:52:46 -07:00
datagram.c [NET]: Do not dereference iov if length is zero 2007-09-11 10:29:07 +02:00
dev.c [NET] net/core/: Spelling fixes 2007-12-20 14:02:06 -08:00
dev_mcast.c [NET]: Move unneeded data to initdata section. 2007-11-13 03:23:50 -08:00
dst.c [NET]: Removing duplicit #includes 2007-11-07 04:11:44 -08:00
ethtool.c [ETHTOOL] Provide default behaviors for a few ethtool sub-ioctls 2007-10-10 16:51:17 -07:00
fib_rules.c [INET]: Small possible memory leak in FIB rules 2007-11-10 22:12:03 -08:00
filter.c [NET]: Fix bug in sk_filter race cures. 2007-10-18 21:48:39 -07:00
flow.c [NET]: Use BUILD_BUG_ON in net/core/flowi.c 2007-10-23 21:27:57 -07:00
gen_estimator.c remove asm/bitops.h includes 2007-10-19 11:53:41 -07:00
gen_stats.c [SK_BUFF]: Convert skb->tail to sk_buff_data_t 2007-04-25 22:26:28 -07:00
iovec.c [PATCH] remove many unneeded #includes of sched.h 2007-02-14 08:09:54 -08:00
kmap_skb.h [PATCH] severing skbuff.h -> highmem.h 2006-12-04 02:00:29 -05:00
link_watch.c [NET] link_watch: Always schedule urgent events 2007-05-10 23:45:28 -07:00
neighbour.c [NET]: Remove /proc/net/stat/*_arp_cache upon module removal 2007-11-07 04:08:53 -08:00
net-sysfs.c [NET]: Remove in-code externs for some functions from net/core/dev.c 2007-10-23 21:27:56 -07:00
net-sysfs.h [NET]: Remove in-code externs for some functions from net/core/dev.c 2007-10-23 21:27:56 -07:00
net_namespace.c [NET]: Cleanup pernet operation without CONFIG_NET_NS 2007-11-13 03:23:21 -08:00
netevent.c [NET]: net/core/netevent.c should #include <net/netevent.h> 2007-07-05 17:40:27 -07:00
netpoll.c [NET]: Fix race between poll_napi() and net_rx_action() 2007-10-29 22:37:28 -07:00
pktgen.c [PKTGEN]: Fix double unlock of xfrm_state->lock 2007-11-19 22:51:24 -08:00
request_sock.c [INET]: Fix potential kfree on vmalloc-ed area of request_sock_queue 2007-11-15 02:57:06 -08:00
rtnetlink.c [NETNS]: Fix get_net_ns_by_pid 2007-10-26 22:56:12 -07:00
scm.c [NET]: Fix function put_cmsg() which may cause usr application memory overflow 2007-12-20 14:36:44 -08:00
skbuff.c [SKBUFF]: Free old skb properly in skb_morph 2007-11-26 23:11:19 +08:00
sock.c [NET]: Unexport sysctl_{r,w}mem_max. 2007-11-12 21:24:14 -08:00
stream.c [NET] CORE: Fix whitespace errors. 2007-02-10 23:19:25 -08:00
sysctl_net_core.c [NET]: Don't declare extern variables in net/core/sysctl_net_core.c 2007-10-23 21:27:56 -07:00
user_dma.c [NET]: Revert sk_buff walker cleanups. 2007-04-27 15:21:23 -07:00
utils.c [NET] net/core/utils: fix sparse warning 2007-08-07 18:02:43 -07:00