From: Dan Carpenter <dan.carpenter@oracle.com>
To: Matthew Leach <matthew.leach@arm.com>
Cc: netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
Will Deacon <Will.Deacon@arm.com>
Subject: Re: sys_sendmsg Fails Silently With Negative msg_namelen
Date: Sat, 8 Mar 2014 00:26:09 +0300 [thread overview]
Message-ID: <20140307212609.GQ4774@mwanda> (raw)
In-Reply-To: <87vbvpx0fo.fsf@e106496-lin.cambridge.arm.com>
On Fri, Mar 07, 2014 at 07:39:55PM +0000, Matthew Leach wrote:
> Hello,
>
> Passing -1 in msg->msg_namelen to sys_sendmsg will cause the syscall
> to finish without error. This happens because of the following check
> in copy_msghdr_from_user:
>
> if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
> kmsg->msg_namelen = sizeof(struct sockaddr_storage);
>
> This check passes due to a comparison between signed (msg_namelen =
> -1) and unsigned values (sizeof(struct sockaddr_storage) = 128). This
> was introduced with 1661bf36 ("net: heap overflow in
> __audit_sockaddr()").
The silent capping was actually introduced in commit db31c55a6fb2 ('net:
clamp ->msg_namelen instead of returning an error'). Just returning an
error code broke beta versions of Ruby and maybe something else?
>
> Below is an ugly patch that fixes this. Are there any suggestions on a
> cleaner fix?
Your patch re-introduces the memory corruption bug that 1661bf36 ("net:
heap overflow in __audit_sockaddr()") was supposed to fix.
I think Ruby was using larger buffer sizes than necessary so we could
add something like:
if (kmsg->msg_namelen < 0)
return -EINVAL;
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
kmsg->msg_namelen = sizeof(struct sockaddr_storage);
Why are people passing -1 as the buffer size anyway? Your email
suggests that people expect it to work, and it will work fine if you
have a buffer size which is larger than sizeof(struct sockaddr_storage).
I'm nervous about changing something which works fine in case I break
userspace. A second time. :P
regards,
dan carpenter
next parent reply other threads:[~2014-03-07 21:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <87vbvpx0fo.fsf@e106496-lin.cambridge.arm.com>
2014-03-07 21:26 ` Dan Carpenter [this message]
2014-03-10 10:48 ` sys_sendmsg Fails Silently With Negative msg_namelen Matthew Leach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140307212609.GQ4774@mwanda \
--to=dan.carpenter@oracle.com \
--cc=Will.Deacon@arm.com \
--cc=davem@davemloft.net \
--cc=matthew.leach@arm.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.