From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 02/46] net: separate out the msghdr copy from ___sys_{send,recv}msg()
Date: Tue, 3 Dec 2019 23:35:22 +0100 [thread overview]
Message-ID: <20191203212707.559208192@linuxfoundation.org> (raw)
In-Reply-To: <20191203212705.175425505@linuxfoundation.org>
From: Jens Axboe <axboe@kernel.dk>
[ Upstream commit 4257c8ca13b084550574b8c9a667d9c90ff746eb ]
This is in preparation for enabling the io_uring helpers for sendmsg
and recvmsg to first copy the header for validation before continuing
with the operation.
There should be no functional changes in this patch.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/socket.c | 141 ++++++++++++++++++++++++++++++++++-----------------
1 file changed, 95 insertions(+), 46 deletions(-)
diff --git a/net/socket.c b/net/socket.c
index 6a9ab7a8b1d2c..fbe08d7df7732 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2232,15 +2232,10 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
return err < 0 ? err : 0;
}
-static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg,
- struct msghdr *msg_sys, unsigned int flags,
- struct used_address *used_address,
- unsigned int allowed_msghdr_flags)
+static int ____sys_sendmsg(struct socket *sock, struct msghdr *msg_sys,
+ unsigned int flags, struct used_address *used_address,
+ unsigned int allowed_msghdr_flags)
{
- struct compat_msghdr __user *msg_compat =
- (struct compat_msghdr __user *)msg;
- struct sockaddr_storage address;
- struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
unsigned char ctl[sizeof(struct cmsghdr) + 20]
__aligned(sizeof(__kernel_size_t));
/* 20 is size of ipv6_pktinfo */
@@ -2248,19 +2243,10 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg,
int ctl_len;
ssize_t err;
- msg_sys->msg_name = &address;
-
- if (MSG_CMSG_COMPAT & flags)
- err = get_compat_msghdr(msg_sys, msg_compat, NULL, &iov);
- else
- err = copy_msghdr_from_user(msg_sys, msg, NULL, &iov);
- if (err < 0)
- return err;
-
err = -ENOBUFS;
if (msg_sys->msg_controllen > INT_MAX)
- goto out_freeiov;
+ goto out;
flags |= (msg_sys->msg_flags & allowed_msghdr_flags);
ctl_len = msg_sys->msg_controllen;
if ((MSG_CMSG_COMPAT & flags) && ctl_len) {
@@ -2268,7 +2254,7 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg,
cmsghdr_from_user_compat_to_kern(msg_sys, sock->sk, ctl,
sizeof(ctl));
if (err)
- goto out_freeiov;
+ goto out;
ctl_buf = msg_sys->msg_control;
ctl_len = msg_sys->msg_controllen;
} else if (ctl_len) {
@@ -2277,7 +2263,7 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg,
if (ctl_len > sizeof(ctl)) {
ctl_buf = sock_kmalloc(sock->sk, ctl_len, GFP_KERNEL);
if (ctl_buf == NULL)
- goto out_freeiov;
+ goto out;
}
err = -EFAULT;
/*
@@ -2323,7 +2309,47 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg,
out_freectl:
if (ctl_buf != ctl)
sock_kfree_s(sock->sk, ctl_buf, ctl_len);
-out_freeiov:
+out:
+ return err;
+}
+
+static int sendmsg_copy_msghdr(struct msghdr *msg,
+ struct user_msghdr __user *umsg, unsigned flags,
+ struct iovec **iov)
+{
+ int err;
+
+ if (flags & MSG_CMSG_COMPAT) {
+ struct compat_msghdr __user *msg_compat;
+
+ msg_compat = (struct compat_msghdr __user *) umsg;
+ err = get_compat_msghdr(msg, msg_compat, NULL, iov);
+ } else {
+ err = copy_msghdr_from_user(msg, umsg, NULL, iov);
+ }
+ if (err < 0)
+ return err;
+
+ return 0;
+}
+
+static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg,
+ struct msghdr *msg_sys, unsigned int flags,
+ struct used_address *used_address,
+ unsigned int allowed_msghdr_flags)
+{
+ struct sockaddr_storage address;
+ struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
+ ssize_t err;
+
+ msg_sys->msg_name = &address;
+
+ err = sendmsg_copy_msghdr(msg_sys, msg, flags, &iov);
+ if (err < 0)
+ return err;
+
+ err = ____sys_sendmsg(sock, msg_sys, flags, used_address,
+ allowed_msghdr_flags);
kfree(iov);
return err;
}
@@ -2442,33 +2468,41 @@ SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,
return __sys_sendmmsg(fd, mmsg, vlen, flags, true);
}
-static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg,
- struct msghdr *msg_sys, unsigned int flags, int nosec)
+static int recvmsg_copy_msghdr(struct msghdr *msg,
+ struct user_msghdr __user *umsg, unsigned flags,
+ struct sockaddr __user **uaddr,
+ struct iovec **iov)
{
- struct compat_msghdr __user *msg_compat =
- (struct compat_msghdr __user *)msg;
- struct iovec iovstack[UIO_FASTIOV];
- struct iovec *iov = iovstack;
- unsigned long cmsg_ptr;
- int len;
ssize_t err;
- /* kernel mode address */
- struct sockaddr_storage addr;
-
- /* user mode address pointers */
- struct sockaddr __user *uaddr;
- int __user *uaddr_len = COMPAT_NAMELEN(msg);
-
- msg_sys->msg_name = &addr;
+ if (MSG_CMSG_COMPAT & flags) {
+ struct compat_msghdr __user *msg_compat;
- if (MSG_CMSG_COMPAT & flags)
- err = get_compat_msghdr(msg_sys, msg_compat, &uaddr, &iov);
- else
- err = copy_msghdr_from_user(msg_sys, msg, &uaddr, &iov);
+ msg_compat = (struct compat_msghdr __user *) umsg;
+ err = get_compat_msghdr(msg, msg_compat, uaddr, iov);
+ } else {
+ err = copy_msghdr_from_user(msg, umsg, uaddr, iov);
+ }
if (err < 0)
return err;
+ return 0;
+}
+
+static int ____sys_recvmsg(struct socket *sock, struct msghdr *msg_sys,
+ struct user_msghdr __user *msg,
+ struct sockaddr __user *uaddr,
+ unsigned int flags, int nosec)
+{
+ struct compat_msghdr __user *msg_compat =
+ (struct compat_msghdr __user *) msg;
+ int __user *uaddr_len = COMPAT_NAMELEN(msg);
+ struct sockaddr_storage addr;
+ unsigned long cmsg_ptr;
+ int len;
+ ssize_t err;
+
+ msg_sys->msg_name = &addr;
cmsg_ptr = (unsigned long)msg_sys->msg_control;
msg_sys->msg_flags = flags & (MSG_CMSG_CLOEXEC|MSG_CMSG_COMPAT);
@@ -2479,7 +2513,7 @@ static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg,
flags |= MSG_DONTWAIT;
err = (nosec ? sock_recvmsg_nosec : sock_recvmsg)(sock, msg_sys, flags);
if (err < 0)
- goto out_freeiov;
+ goto out;
len = err;
if (uaddr != NULL) {
@@ -2487,12 +2521,12 @@ static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg,
msg_sys->msg_namelen, uaddr,
uaddr_len);
if (err < 0)
- goto out_freeiov;
+ goto out;
}
err = __put_user((msg_sys->msg_flags & ~MSG_CMSG_COMPAT),
COMPAT_FLAGS(msg));
if (err)
- goto out_freeiov;
+ goto out;
if (MSG_CMSG_COMPAT & flags)
err = __put_user((unsigned long)msg_sys->msg_control - cmsg_ptr,
&msg_compat->msg_controllen);
@@ -2500,10 +2534,25 @@ static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg,
err = __put_user((unsigned long)msg_sys->msg_control - cmsg_ptr,
&msg->msg_controllen);
if (err)
- goto out_freeiov;
+ goto out;
err = len;
+out:
+ return err;
+}
+
+static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg,
+ struct msghdr *msg_sys, unsigned int flags, int nosec)
+{
+ struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
+ /* user mode address pointers */
+ struct sockaddr __user *uaddr;
+ ssize_t err;
+
+ err = recvmsg_copy_msghdr(msg_sys, msg, flags, &uaddr, &iov);
+ if (err < 0)
+ return err;
-out_freeiov:
+ err = ____sys_recvmsg(sock, msg_sys, msg, uaddr, flags, nosec);
kfree(iov);
return err;
}
--
2.20.1
next prev parent reply other threads:[~2019-12-03 22:37 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-03 22:35 [PATCH 5.4 00/46] 5.4.2-stable review Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 01/46] io_uring: async workers should inherit the user creds Greg Kroah-Hartman
2019-12-03 22:35 ` Greg Kroah-Hartman [this message]
2019-12-03 22:35 ` [PATCH 5.4 03/46] net: disallow ancillary data for __sys_{send,recv}msg_file() Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 04/46] crypto: inside-secure - Fix stability issue with Macchiatobin Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 05/46] driver core: platform: use the correct callback type for bus_find_device Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 06/46] usb: dwc2: use a longer core rest timeout in dwc2_core_reset() Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 07/46] staging: wilc1000: fix illegal memory access in wilc_parse_join_bss_param() Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 08/46] staging: rtl8192e: fix potential use after free Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 09/46] staging: rtl8723bs: Drop ACPI device ids Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 10/46] staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 11/46] USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 12/46] mei: bus: prefix device names on bus with the bus name Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 13/46] mei: me: add comet point V device id Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 14/46] thunderbolt: Power cycle the router if NVM authentication fails Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 15/46] x86/fpu: Dont cache access to fpu_fpregs_owner_ctx Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 16/46] gve: Fix the queue page list allocated pages count Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 17/46] macvlan: schedule bc_work even if error Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 18/46] mdio_bus: dont use managed reset-controller Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 19/46] net: dsa: sja1105: fix sja1105_parse_rgmii_delays() Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 20/46] net: macb: add missed tasklet_kill Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 21/46] net: psample: fix skb_over_panic Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 22/46] net: sched: fix `tc -s class show` no bstats on class with nolock subqueues Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 23/46] openvswitch: fix flow command message size Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 24/46] sctp: Fix memory leak in sctp_sf_do_5_2_4_dupcook Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 25/46] slip: Fix use-after-free Read in slip_open Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 26/46] sctp: cache netns in sctp_ep_common Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 27/46] openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 28/46] openvswitch: remove another BUG_ON() Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 29/46] net/tls: take into account that bpf_exec_tx_verdict() may free the record Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 30/46] net/tls: free the record on encryption error Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 31/46] net: skmsg: fix TLS 1.3 crash with full sk_msg Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 32/46] selftests/tls: add a test for fragmented messages Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 33/46] net/tls: remove the dead inplace_crypto code Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 34/46] net/tls: use sg_next() to walk sg entries Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 35/46] selftests: bpf: test_sockmap: handle file creation failures gracefully Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 36/46] selftests: bpf: correct perror strings Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 37/46] tipc: fix link name length check Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 38/46] selftests: pmtu: use -oneline for ip route list cache Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 39/46] r8169: fix jumbo configuration for RTL8168evl Greg Kroah-Hartman
2019-12-03 22:36 ` [PATCH 5.4 40/46] r8169: fix resume on cable plug-in Greg Kroah-Hartman
2019-12-03 22:36 ` [PATCH 5.4 41/46] ext4: add more paranoia checking in ext4_expand_extra_isize handling Greg Kroah-Hartman
2019-12-03 22:36 ` [PATCH 5.4 42/46] Revert "jffs2: Fix possible null-pointer dereferences in jffs2_add_frag_to_fragtree()" Greg Kroah-Hartman
2019-12-03 22:36 ` [PATCH 5.4 43/46] crypto: talitos - Fix build error by selecting LIB_DES Greg Kroah-Hartman
2019-12-03 22:36 ` [PATCH 5.4 44/46] HID: core: check whether Usage Page item is after Usage ID items Greg Kroah-Hartman
2019-12-03 22:36 ` [PATCH 5.4 45/46] platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer Greg Kroah-Hartman
2019-12-03 22:36 ` [PATCH 5.4 46/46] platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size Greg Kroah-Hartman
2019-12-04 10:26 ` [PATCH 5.4 00/46] 5.4.2-stable review Jon Hunter
2019-12-04 10:26 ` Jon Hunter
2019-12-04 13:23 ` Amol Grover
2019-12-04 17:13 ` Greg Kroah-Hartman
2019-12-05 16:43 ` Amol Grover
2019-12-06 13:05 ` Greg Kroah-Hartman
2019-12-04 13:56 ` Naresh Kamboju
2019-12-04 20:38 ` Greg Kroah-Hartman
2019-12-04 17:50 ` shuah
2019-12-04 20:37 ` Greg Kroah-Hartman
2019-12-04 19:05 ` Guenter Roeck
2019-12-04 20:37 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191203212707.559208192@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=axboe@kernel.dk \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.