From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1423922AbcBQQiI (ORCPT <rfc822;w@1wt.eu>);
	Wed, 17 Feb 2016 11:38:08 -0500
Received: from webmail.ccur.com ([12.198.185.177]:46013 "EHLO webmail.ccur.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1422903AbcBQQiH (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Wed, 17 Feb 2016 11:38:07 -0500
Date: Wed, 17 Feb 2016 11:38:05 -0500
From: Joe Korty <joe.korty@ccur.com>
To: "David S. Miller" <davem@davemloft.net>,
        Alexander Viro <viro@zeniv.linux.org.uk>
CC: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: [PATCH] Fix kfree bug in sendmsg and recvmsg
Message-ID: <20160217163805.GA15781@zipoli.ccur.com>
Reply-To: Joe Korty <joe.korty@ccur.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-12-10)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Fix kfree bug in recvmsg and sendmsg.

We cannot kfree(iov) when iov points to an array on the
stack, as that has the potential of corrupting memory.

So re-introduce the if-stmt that used to protect kfree
from this condition, code that was removed as part of
a larger set of changes made by git commit da184284.

Signed-off-by: Joe Korty <joe.korty@ccur.com>

Index: b/net/socket.c
===================================================================
--- a/net/socket.c
+++ b/net/socket.c
@@ -1960,7 +1960,8 @@ out_freectl:
 	if (ctl_buf != ctl)
 		sock_kfree_s(sock->sk, ctl_buf, ctl_len);
 out_freeiov:
-	kfree(iov);
+	if (iov != iovstack)
+		kfree(iov);
 	return err;
 }
 
@@ -2125,7 +2126,8 @@ static int ___sys_recvmsg(struct socket 
 	err = len;
 
 out_freeiov:
-	kfree(iov);
+	if (iov != iovstack)
+		kfree(iov);
 	return err;
 }