Re: [PATCH] sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vlad Yasevich <vyasevich@gmail.com>
To: Tommi Rantala <tt.rantala@gmail.com>
Cc: linux-sctp@vger.kernel.org, netdev@vger.kernel.org,
	Neil Horman <nhorman@tuxdriver.com>,
	Sridhar Samudrala <sri@us.ibm.com>,
	"David S. Miller" <davem@davemloft.net>,
	Dave Jones <davej@redhat.com>
Subject: Re: [PATCH] sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall
Date: Mon, 26 Nov 2012 14:56:57 +0000	[thread overview]
Message-ID: <50B38339.40105@gmail.com> (raw)
In-Reply-To: <1353590596-12216-1-git-send-email-tt.rantala@gmail.com>

On 11/22/2012 08:23 AM, Tommi Rantala wrote:
> Consider the following program, that sets the second argument to the
> sendto() syscall incorrectly:
>
>   #include <string.h>
>   #include <arpa/inet.h>
>   #include <sys/socket.h>
>
>   int main(void)
>   {
>           int fd;
>           struct sockaddr_in sa;
>
>           fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
>           if (fd < 0)
>                   return 1;
>
>           memset(&sa, 0, sizeof(sa));
>           sa.sin_family = AF_INET;
>           sa.sin_addr.s_addr = inet_addr("127.0.0.1");
>           sa.sin_port = htons(11111);
>
>           sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
>
>           return 0;
>   }
>
> We get -ENOMEM:
>
>   $ strace -e sendto ./demo
>   sendto(3, NULL, 1, 0, {sa_family¯_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ENOMEM (Cannot allocate memory)
>
> Propagate the error code from sctp_user_addto_chunk(), so that we will
> tell user space what actually went wrong:
>
>   $ strace -e sendto ./demo
>   sendto(3, NULL, 1, 0, {sa_family¯_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EFAULT (Bad address)
>
> Noticed while running Trinity (the syscall fuzzer).
>
> Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>

Looks good

Acked-by: Vlad Yasevich <vyasevich@gmail.com>

-vlad

> ---
>   net/sctp/chunk.c  |   13 +++++++++----
>   net/sctp/socket.c |    4 ++--
>   2 files changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
> index d241ef5..3952ca9 100644
> --- a/net/sctp/chunk.c
> +++ b/net/sctp/chunk.c
> @@ -183,7 +183,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
>
>   	msg = sctp_datamsg_new(GFP_KERNEL);
>   	if (!msg)
> -		return NULL;
> +		return ERR_PTR(-ENOMEM);
>
>   	/* Note: Calculate this outside of the loop, so that all fragments
>   	 * have the same expiration.
> @@ -280,8 +280,11 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
>
>   		chunk = sctp_make_datafrag_empty(asoc, sinfo, len, frag, 0);
>
> -		if (!chunk)
> +		if (!chunk) {
> +			err = -ENOMEM;
>   			goto errout;
> +		}
> +
>   		err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov);
>   		if (err < 0)
>   			goto errout_chunk_put;
> @@ -315,8 +318,10 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
>
>   		chunk = sctp_make_datafrag_empty(asoc, sinfo, over, frag, 0);
>
> -		if (!chunk)
> +		if (!chunk) {
> +			err = -ENOMEM;
>   			goto errout;
> +		}
>
>   		err = sctp_user_addto_chunk(chunk, offset, over,msgh->msg_iov);
>
> @@ -342,7 +347,7 @@ errout:
>   		sctp_chunk_free(chunk);
>   	}
>   	sctp_datamsg_put(msg);
> -	return NULL;
> +	return ERR_PTR(err);
>   }
>
>   /* Check whether this message has expired. */
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index a60d1f8..406d957 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -1915,8 +1915,8 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
>
>   	/* Break the message into multiple chunks of maximum size. */
>   	datamsg = sctp_datamsg_from_user(asoc, sinfo, msg, msg_len);
> -	if (!datamsg) {
> -		err = -ENOMEM;
> +	if (IS_ERR(datamsg)) {
> +		err = PTR_ERR(datamsg);
>   		goto out_free;
>   	}
>
>

WARNING: multiple messages have this Message-ID (diff)

From: Vlad Yasevich <vyasevich@gmail.com>
To: Tommi Rantala <tt.rantala@gmail.com>
Cc: linux-sctp@vger.kernel.org, netdev@vger.kernel.org,
	Neil Horman <nhorman@tuxdriver.com>,
	Sridhar Samudrala <sri@us.ibm.com>,
	"David S. Miller" <davem@davemloft.net>,
	Dave Jones <davej@redhat.com>
Subject: Re: [PATCH] sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall
Date: Mon, 26 Nov 2012 09:56:57 -0500	[thread overview]
Message-ID: <50B38339.40105@gmail.com> (raw)
In-Reply-To: <1353590596-12216-1-git-send-email-tt.rantala@gmail.com>

On 11/22/2012 08:23 AM, Tommi Rantala wrote:
> Consider the following program, that sets the second argument to the
> sendto() syscall incorrectly:
>
>   #include <string.h>
>   #include <arpa/inet.h>
>   #include <sys/socket.h>
>
>   int main(void)
>   {
>           int fd;
>           struct sockaddr_in sa;
>
>           fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
>           if (fd < 0)
>                   return 1;
>
>           memset(&sa, 0, sizeof(sa));
>           sa.sin_family = AF_INET;
>           sa.sin_addr.s_addr = inet_addr("127.0.0.1");
>           sa.sin_port = htons(11111);
>
>           sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
>
>           return 0;
>   }
>
> We get -ENOMEM:
>
>   $ strace -e sendto ./demo
>   sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ENOMEM (Cannot allocate memory)
>
> Propagate the error code from sctp_user_addto_chunk(), so that we will
> tell user space what actually went wrong:
>
>   $ strace -e sendto ./demo
>   sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EFAULT (Bad address)
>
> Noticed while running Trinity (the syscall fuzzer).
>
> Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>

Looks good

Acked-by: Vlad Yasevich <vyasevich@gmail.com>

-vlad

> ---
>   net/sctp/chunk.c  |   13 +++++++++----
>   net/sctp/socket.c |    4 ++--
>   2 files changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
> index d241ef5..3952ca9 100644
> --- a/net/sctp/chunk.c
> +++ b/net/sctp/chunk.c
> @@ -183,7 +183,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
>
>   	msg = sctp_datamsg_new(GFP_KERNEL);
>   	if (!msg)
> -		return NULL;
> +		return ERR_PTR(-ENOMEM);
>
>   	/* Note: Calculate this outside of the loop, so that all fragments
>   	 * have the same expiration.
> @@ -280,8 +280,11 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
>
>   		chunk = sctp_make_datafrag_empty(asoc, sinfo, len, frag, 0);
>
> -		if (!chunk)
> +		if (!chunk) {
> +			err = -ENOMEM;
>   			goto errout;
> +		}
> +
>   		err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov);
>   		if (err < 0)
>   			goto errout_chunk_put;
> @@ -315,8 +318,10 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
>
>   		chunk = sctp_make_datafrag_empty(asoc, sinfo, over, frag, 0);
>
> -		if (!chunk)
> +		if (!chunk) {
> +			err = -ENOMEM;
>   			goto errout;
> +		}
>
>   		err = sctp_user_addto_chunk(chunk, offset, over,msgh->msg_iov);
>
> @@ -342,7 +347,7 @@ errout:
>   		sctp_chunk_free(chunk);
>   	}
>   	sctp_datamsg_put(msg);
> -	return NULL;
> +	return ERR_PTR(err);
>   }
>
>   /* Check whether this message has expired. */
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index a60d1f8..406d957 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -1915,8 +1915,8 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
>
>   	/* Break the message into multiple chunks of maximum size. */
>   	datamsg = sctp_datamsg_from_user(asoc, sinfo, msg, msg_len);
> -	if (!datamsg) {
> -		err = -ENOMEM;
> +	if (IS_ERR(datamsg)) {
> +		err = PTR_ERR(datamsg);
>   		goto out_free;
>   	}
>
>

next prev parent reply	other threads:[~2012-11-26 14:56 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-22 13:23 [PATCH] sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall Tommi Rantala
2012-11-22 13:23 ` Tommi Rantala
2012-11-25 21:03 ` David Miller
2012-11-25 21:03   ` David Miller
2012-11-26 14:56 ` Vlad Yasevich [this message]
2012-11-26 14:56   ` Vlad Yasevich
2012-11-26 22:34   ` David Miller
2012-11-26 22:34     ` David Miller
2012-11-26 15:25 ` Neil Horman
2012-11-26 15:25   ` Neil Horman
2012-11-28 16:12 ` David Miller
2012-11-28 16:12   ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=50B38339.40105@gmail.com \
    --to=vyasevich@gmail.com \
    --cc=davej@redhat.com \
    --cc=davem@davemloft.net \
    --cc=linux-sctp@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=nhorman@tuxdriver.com \
    --cc=sri@us.ibm.com \
    --cc=tt.rantala@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.