* [PATCH 06/10] ipc: Don't allocate a copy larger than max
2013-02-26 2:21 [PATCH 00/10] ipc MSG_COPY fixes Peter Hurley
@ 2013-02-26 2:21 ` Peter Hurley
0 siblings, 0 replies; 3+ messages in thread
From: Peter Hurley @ 2013-02-26 2:21 UTC (permalink / raw)
To: Stanislav Kinsbursky
Cc: Andrew Morton, linux-kernel, Dave Jones, Peter Hurley
When MSG_COPY is set, a duplicate message must be allocated for
the copy before locking the queue. However, the copy could
not be larger than was sent which is limited to msg_ctlmax.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
ipc/msg.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/ipc/msg.c b/ipc/msg.c
index 950572f..31cd1bf 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -820,15 +820,17 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp,
struct msg_msg *copy = NULL;
unsigned long copy_number = 0;
+ ns = current->nsproxy->ipc_ns;
+
if (msqid < 0 || (long) bufsz < 0)
return -EINVAL;
if (msgflg & MSG_COPY) {
- copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, ©_number);
+ copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax),
+ msgflg, &msgtyp, ©_number);
if (IS_ERR(copy))
return PTR_ERR(copy);
}
mode = convert_mode(&msgtyp, msgflg);
- ns = current->nsproxy->ipc_ns;
msq = msg_lock_check(ns, msqid);
if (IS_ERR(msq)) {
--
1.8.1.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 06/10] ipc: Don't allocate a copy larger than max
@ 2013-05-25 12:04 Manfred Spraul
2013-05-26 10:25 ` Peter Hurley
0 siblings, 1 reply; 3+ messages in thread
From: Manfred Spraul @ 2013-05-25 12:04 UTC (permalink / raw)
To: Peter Hurley, Linux Kernel Mailing List, Andrew Morton
Hi Peter,
You wrote:
> When MSG_COPY is set, a duplicate message must be allocated for
> the copy before locking the queue. However, the copy could
> not be larger than was sent which is limited to msg_ctlmax.
>
> Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
> ---
> ipc/msg.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/ipc/msg.c b/ipc/msg.c
> index 950572f..31cd1bf 100644
> --- a/ipc/msg.c
> +++ b/ipc/msg.c
> @@ -820,15 +820,17 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp,
> struct msg_msg *copy = NULL;
> unsigned long copy_number = 0;
>
> + ns = current->nsproxy->ipc_ns;
> +
> if (msqid < 0 || (long) bufsz < 0)
> return -EINVAL;
> if (msgflg & MSG_COPY) {
> - copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, ©_number);
> + copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax),
> + msgflg, &msgtyp, ©_number);
What about:
- increase msg_ctlmax
- send message
- reduce msg_ctlmax
The side effects of the patch are odd:
- without MSG_COPY, a message can be read regardsless of the size.
The user could check for E2BIG and increase the buffer size until
msgrcv succeeds.
- with MSG_COPY, something else would happen.
As far as I can see, it would oops: msg_ctlmax bytes are allocated,
then the E2BIG test is against bufsz, and copy_msg() doesn't check
the size of the target buffer.
I.e.: I would propose to revert the patch.
--
Manfred
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 06/10] ipc: Don't allocate a copy larger than max
2013-05-25 12:04 [PATCH 06/10] ipc: Don't allocate a copy larger than max Manfred Spraul
@ 2013-05-26 10:25 ` Peter Hurley
0 siblings, 0 replies; 3+ messages in thread
From: Peter Hurley @ 2013-05-26 10:25 UTC (permalink / raw)
To: Manfred Spraul; +Cc: Linux Kernel Mailing List, Andrew Morton
On 05/25/2013 08:04 AM, Manfred Spraul wrote:
> Hi Peter,
>
> You wrote:
>> When MSG_COPY is set, a duplicate message must be allocated for
>> the copy before locking the queue. However, the copy could
>> not be larger than was sent which is limited to msg_ctlmax.
>>
>> Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
>> ---
>> ipc/msg.c | 6 ++++--
>> 1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/ipc/msg.c b/ipc/msg.c
>> index 950572f..31cd1bf 100644
>> --- a/ipc/msg.c
>> +++ b/ipc/msg.c
>> @@ -820,15 +820,17 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp,
>> struct msg_msg *copy = NULL;
>> unsigned long copy_number = 0;
>> + ns = current->nsproxy->ipc_ns;
>> +
>> if (msqid < 0 || (long) bufsz < 0)
>> return -EINVAL;
>> if (msgflg & MSG_COPY) {
>> - copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, ©_number);
>> + copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax),
>> + msgflg, &msgtyp, ©_number);
>
> What about:
> - increase msg_ctlmax
> - send message
> - reduce msg_ctlmax
>
> The side effects of the patch are odd:
> - without MSG_COPY, a message can be read regardsless of the size.
> The user could check for E2BIG and increase the buffer size until
> msgrcv succeeds.
The patch does not change the behavior of non-MSG_COPY msg receive.
> - with MSG_COPY, something else would happen.
> As far as I can see, it would oops: msg_ctlmax bytes are allocated,
> then the E2BIG test is against bufsz, and copy_msg() doesn't check
> the size of the target buffer.
I assume you are using 3.9
Current mainline returns EINVAL.
Regards,
Peter Hurley
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-05-26 10:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-05-25 12:04 [PATCH 06/10] ipc: Don't allocate a copy larger than max Manfred Spraul
2013-05-26 10:25 ` Peter Hurley
-- strict thread matches above, loose matches on Subject: below --
2013-02-26 2:21 [PATCH 00/10] ipc MSG_COPY fixes Peter Hurley
2013-02-26 2:21 ` [PATCH 06/10] ipc: Don't allocate a copy larger than max Peter Hurley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox