From: Anton Blanchard <anton@samba.org>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: davem@davemloft.net, eparis@parisplace.org,
casey@schaufler-ca.com, mjt@tls.msk.ru, netdev@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH] net: Fix security_socket_sendmsg() bypass problem.
Date: Wed, 3 Aug 2011 23:29:57 +1000 [thread overview]
Message-ID: <20110803232957.5e7a5d0a@kryten> (raw)
In-Reply-To: <201108032120.CHC60420.OVOFQFHMJLSOtF@I-love.SAKURA.ne.jp>
Hi,
> > I much prefer to make the error handling more correct, rather than
> > making sendmmsg() have fundamentally different semantics depending
> > upon the underlying LSM.
>
> Well, the way how sendmmsg() returns error code is tricky. But
> recvmmsg() has been doing in this way for a while. So, for symmetry
> reason, maybe sendmmsg() should do as with recvmmsg() since it is too
> late to change recvmmsg()'s way.
>
> So, programmers should be warned (in the man pages) that they should
> always call getsockopt(SO_ERROR) (in order to clear the error code)
> if sendmmsg() or recvmmsg() returned less than requested.
As you suggest, I wanted to mirror how recvmmsg returns errors. But I
now agree with Dave, we should not return an error if we managed to send
any datagrams.
Perhaps we need to modify recvmmsg to do the same?
> By the way, don't we want integer overflow check and/or
> cond_resched() here? I don't know whether there is an arch where
> userspace can allocate (1 << BITS_PER_INT) * sizeof(struct msghdr)
> bytes using malloc() and kernel can allocate huge memory for the
> socket buffer.
>
> #include <stdio.h>
> int main(int argc, char *argv[])
> {
> int datagrams = 0;
> unsigned int vlen = 4294967290U;
> while (datagrams < vlen)
> datagrams++;
> printf("%u\n", datagrams);
> return 0;
> }
>
> I think this program (on x86_32) will print an IS_ERR() value upon
> success.
Good catch. I wonder if we can do something similar to read/write where
we just truncate the length. What value should we use? One option is to
reuse UIO_MAXIOV (1024).
The following patch is compiled tested only so far.
Anton
--
[PATCH] net: Cap number of elements for recvmmsg and sendmmsg
To limit the amount of time we can spend in recvmmsg and sendmmsg,
cap the number of elements to UIO_MAXIOV (currently 1024).
Signed-off-by: Anton Blanchard <anton@samba.org>
Cc: <stable@kernel.org>
---
diff --git a/net/socket.c b/net/socket.c
index b1cbbcd..ad345b1 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1999,6 +1999,9 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
struct compat_mmsghdr __user *compat_entry;
struct msghdr msg_sys;
+ if (vlen > UIO_MAXIOV)
+ vlen = UIO_MAXIOV;
+
datagrams = 0;
sock = sockfd_lookup_light(fd, &err, &fput_needed);
@@ -2199,6 +2202,9 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
struct msghdr msg_sys;
struct timespec end_time;
+ if (vlen > UIO_MAXIOV)
+ vlen = UIO_MAXIOV;
+
if (timeout &&
poll_select_set_timeout(&end_time, timeout->tv_sec,
timeout->tv_nsec))
next prev parent reply other threads:[~2011-08-03 13:29 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <201107110304.p6B34422036886@www262.sakura.ne.jp>
[not found] ` <201107191754.22391.paul.moore@hp.com>
[not found] ` <201107200142.p6K1gKYg077046@www262.sakura.ne.jp>
[not found] ` <201107211721.14511.paul.moore@hp.com>
2011-07-22 11:41 ` Question regarding sendmmsg() Tetsuo Handa
2011-07-22 12:27 ` Tetsuo Handa
2011-07-22 15:12 ` [PATCH] net: Fix security_socket_sendmsg() bypass problem Tetsuo Handa
2011-07-22 15:22 ` David Miller
2011-07-22 17:42 ` Tetsuo Handa
2011-07-22 18:31 ` Tetsuo Handa
2011-07-23 5:20 ` Tetsuo Handa
2011-07-23 7:04 ` Michael Tokarev
2011-07-23 10:39 ` Tetsuo Handa
2011-07-25 12:20 ` Anton Blanchard
2011-07-25 13:15 ` Tetsuo Handa
2011-07-25 15:44 ` Casey Schaufler
2011-07-25 16:43 ` Tetsuo Handa
2011-07-25 17:00 ` Casey Schaufler
2011-07-26 9:55 ` Anton Blanchard
2011-07-26 11:21 ` Tetsuo Handa
2011-07-26 13:58 ` Eric Paris
2011-07-28 3:36 ` Tetsuo Handa
2011-08-02 6:07 ` David Miller
2011-08-02 9:28 ` Tetsuo Handa
2011-08-02 11:18 ` David Miller
2011-08-02 11:26 ` David Miller
2011-08-02 11:52 ` Tetsuo Handa
2011-08-02 12:01 ` David Miller
2011-08-02 13:11 ` Tetsuo Handa
2011-08-03 3:25 ` Tetsuo Handa
2011-08-03 3:38 ` David Miller
2011-08-03 3:47 ` Anton Blanchard
2011-08-03 12:20 ` Tetsuo Handa
2011-08-03 13:29 ` Anton Blanchard [this message]
2011-08-03 13:37 ` Eduard Sinelnikov
2011-08-03 21:50 ` Tetsuo Handa
2011-08-04 12:56 ` Anton Blanchard
2011-08-03 13:54 ` Anton Blanchard
2011-07-26 20:30 ` Question regarding sendmmsg() Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110803232957.5e7a5d0a@kryten \
--to=anton@samba.org \
--cc=casey@schaufler-ca.com \
--cc=davem@davemloft.net \
--cc=eparis@parisplace.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjt@tls.msk.ru \
--cc=netdev@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox