From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 15/27] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
Date: Tue, 25 Jun 2013 11:35:34 -0700 [thread overview]
Message-ID: <20130625183519.437772190@linuxfoundation.org> (raw)
In-Reply-To: <20130625183517.651770593@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Lutomirski <luto@amacapital.net>
[ Upstream commits 1be374a0518a288147c6a7398792583200a67261 and
a7526eb5d06b0084ef12d7b168d008fcf516caab ]
MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
it's a hack that steals a bit to indicate to other networking code
that a compat entry was used. So don't allow it from a non-compat
syscall.
This prevents an oops when running this code:
int main()
{
int s;
struct sockaddr_in addr;
struct msghdr *hdr;
char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
if (highpage == MAP_FAILED)
err(1, "mmap");
s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (s == -1)
err(1, "socket");
addr.sin_family = AF_INET;
addr.sin_port = htons(1);
addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
err(1, "connect");
void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
printf("Evil address is %p\n", evil);
if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
err(1, "sendmmsg");
return 0;
}
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/socket.h | 3 ++
net/compat.c | 13 ++++++++-
net/socket.c | 67 ++++++++++++++++++++++++++++++++-----------------
3 files changed, 59 insertions(+), 24 deletions(-)
--- a/include/linux/socket.h
+++ b/include/linux/socket.h
@@ -336,6 +336,9 @@ extern int put_cmsg(struct msghdr*, int
struct timespec;
+/* The __sys_...msg variants allow MSG_CMSG_COMPAT */
+extern long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags);
+extern long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags);
extern int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
unsigned int flags, struct timespec *timeout);
extern int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg,
--- a/net/compat.c
+++ b/net/compat.c
@@ -743,19 +743,25 @@ static unsigned char nas[21] = {
asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned flags)
{
- return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
+ return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
}
asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg,
unsigned vlen, unsigned int flags)
{
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT);
}
asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
{
- return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
+ return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
}
asmlinkage long compat_sys_recv(int fd, void __user *buf, size_t len, unsigned flags)
@@ -777,6 +783,9 @@ asmlinkage long compat_sys_recvmmsg(int
int datagrams;
struct timespec ktspec;
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
+
if (COMPAT_USE_64BIT_TIME)
return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT,
--- a/net/socket.c
+++ b/net/socket.c
@@ -1899,9 +1899,9 @@ struct used_address {
unsigned int name_len;
};
-static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
- struct msghdr *msg_sys, unsigned flags,
- struct used_address *used_address)
+static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+ struct msghdr *msg_sys, unsigned flags,
+ struct used_address *used_address)
{
struct compat_msghdr __user *msg_compat =
(struct compat_msghdr __user *)msg;
@@ -2017,22 +2017,30 @@ out:
* BSD sendmsg interface
*/
-SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
+long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
{
int fput_needed, err;
struct msghdr msg_sys;
- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ struct socket *sock;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
if (!sock)
goto out;
- err = __sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
+ err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
fput_light(sock->file, fput_needed);
out:
return err;
}
+SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags)
+{
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
+ return __sys_sendmsg(fd, msg, flags);
+}
+
/*
* Linux sendmmsg interface
*/
@@ -2063,15 +2071,16 @@ int __sys_sendmmsg(int fd, struct mmsghd
while (datagrams < vlen) {
if (MSG_CMSG_COMPAT & flags) {
- err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
- &msg_sys, flags, &used_address);
+ err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
+ &msg_sys, flags, &used_address);
if (err < 0)
break;
err = __put_user(err, &compat_entry->msg_len);
++compat_entry;
} else {
- err = __sys_sendmsg(sock, (struct msghdr __user *)entry,
- &msg_sys, flags, &used_address);
+ err = ___sys_sendmsg(sock,
+ (struct msghdr __user *)entry,
+ &msg_sys, flags, &used_address);
if (err < 0)
break;
err = put_user(err, &entry->msg_len);
@@ -2095,11 +2104,13 @@ int __sys_sendmmsg(int fd, struct mmsghd
SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,
unsigned int, vlen, unsigned int, flags)
{
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
return __sys_sendmmsg(fd, mmsg, vlen, flags);
}
-static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
- struct msghdr *msg_sys, unsigned flags, int nosec)
+static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+ struct msghdr *msg_sys, unsigned flags, int nosec)
{
struct compat_msghdr __user *msg_compat =
(struct compat_msghdr __user *)msg;
@@ -2192,23 +2203,31 @@ out:
* BSD recvmsg interface
*/
-SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
- unsigned int, flags)
+long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags)
{
int fput_needed, err;
struct msghdr msg_sys;
- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ struct socket *sock;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
if (!sock)
goto out;
- err = __sys_recvmsg(sock, msg, &msg_sys, flags, 0);
+ err = ___sys_recvmsg(sock, msg, &msg_sys, flags, 0);
fput_light(sock->file, fput_needed);
out:
return err;
}
+SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
+ unsigned int, flags)
+{
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
+ return __sys_recvmsg(fd, msg, flags);
+}
+
/*
* Linux recvmmsg interface
*/
@@ -2246,17 +2265,18 @@ int __sys_recvmmsg(int fd, struct mmsghd
* No need to ask LSM for more than the first datagram.
*/
if (MSG_CMSG_COMPAT & flags) {
- err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
- &msg_sys, flags & ~MSG_WAITFORONE,
- datagrams);
+ err = ___sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
+ &msg_sys, flags & ~MSG_WAITFORONE,
+ datagrams);
if (err < 0)
break;
err = __put_user(err, &compat_entry->msg_len);
++compat_entry;
} else {
- err = __sys_recvmsg(sock, (struct msghdr __user *)entry,
- &msg_sys, flags & ~MSG_WAITFORONE,
- datagrams);
+ err = ___sys_recvmsg(sock,
+ (struct msghdr __user *)entry,
+ &msg_sys, flags & ~MSG_WAITFORONE,
+ datagrams);
if (err < 0)
break;
err = put_user(err, &entry->msg_len);
@@ -2323,6 +2343,9 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struc
int datagrams;
struct timespec timeout_sys;
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
+
if (!timeout)
return __sys_recvmmsg(fd, mmsg, vlen, flags, NULL);
next prev parent reply other threads:[~2013-06-25 18:35 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-25 18:35 [ 00/27] 3.4.51-stable review Greg Kroah-Hartman
2013-06-25 18:35 ` [ 01/27] ALSA: usb-audio: Fix invalid volume resolution for Logitech HD Webcam c310 Greg Kroah-Hartman
2013-06-25 18:35 ` [ 02/27] ALSA: usb-audio: work around Android accessory firmware bug Greg Kroah-Hartman
2013-06-25 18:35 ` [ 03/27] clk: remove notifier from list before freeing it Greg Kroah-Hartman
2013-06-25 18:35 ` [ 04/27] tilepro: work around module link error with gcc 4.7 Greg Kroah-Hartman
2013-06-25 18:35 ` [ 05/27] KVM: x86: remove vcpus CPL check in host-invoked XCR set Greg Kroah-Hartman
2013-06-25 18:35 ` [ 06/27] tcp: fix tcp_md5_hash_skb_data() Greg Kroah-Hartman
2013-06-25 18:35 ` [ 07/27] gianfar: add missing iounmap() on error in gianfar_ptp_probe() Greg Kroah-Hartman
2013-06-25 18:35 ` [ 08/27] ipv6: fix possible crashes in ip6_cork_release() Greg Kroah-Hartman
2013-06-25 18:35 ` [ 09/27] netlabel: improve domain mapping validation Greg Kroah-Hartman
2013-06-25 18:35 ` [ 10/27] r8169: fix offloaded tx checksum for small packets Greg Kroah-Hartman
2013-06-25 18:35 ` [ 11/27] 8139cp: reset BQL when ring tx ring cleared Greg Kroah-Hartman
2013-06-25 18:35 ` [ 12/27] tcp: bug fix in proportional rate reduction Greg Kroah-Hartman
2013-06-25 18:35 ` [ 13/27] tcp: xps: fix reordering issues Greg Kroah-Hartman
2013-06-25 18:35 ` [ 14/27] ip_tunnel: fix kernel panic with icmp_dest_unreach Greg Kroah-Hartman
2013-06-25 18:35 ` Greg Kroah-Hartman [this message]
2013-06-25 18:35 ` [ 16/27] net: force a reload of first item in hlist_nulls_for_each_entry_rcu Greg Kroah-Hartman
2013-06-25 18:35 ` [ 17/27] ipv6: assign rt6_info to inet6_ifaddr in init_loopback Greg Kroah-Hartman
2013-06-25 18:35 ` [ 18/27] net: sctp: fix NULL pointer dereference in socket destruction Greg Kroah-Hartman
2013-06-25 18:35 ` [ 19/27] team: check return value of team_get_port_by_index_rcu() for NULL Greg Kroah-Hartman
2013-06-25 18:35 ` [ 20/27] packet: packet_getname_spkt: make sure string is always 0-terminated Greg Kroah-Hartman
2013-06-25 18:35 ` [ 21/27] l2tp: Fix PPP header erasure and memory leak Greg Kroah-Hartman
2013-06-25 18:35 ` [ 22/27] l2tp: Fix sendmsg() return value Greg Kroah-Hartman
2013-06-25 18:35 ` [ 23/27] bonding: rlb mode of bond should not alter ARP originating via bridge Greg Kroah-Hartman
2013-06-25 18:35 ` [ 24/27] Input: cyttsp - fix memcpy size param Greg Kroah-Hartman
2013-06-25 18:35 ` [ 25/27] USB: serial: ti_usb_3410_5052: new device id for Abbot strip port cable Greg Kroah-Hartman
2013-06-25 18:35 ` [ 26/27] target/iscsi: dont corrupt bh_count in iscsit_stop_time2retain_timer() Greg Kroah-Hartman
2013-06-25 18:35 ` [ 27/27] inotify: invalid mask should return a error number but not set it Greg Kroah-Hartman
2013-06-25 19:39 ` [ 00/27] 3.4.51-stable review Guenter Roeck
2013-06-26 3:37 ` Greg Kroah-Hartman
2013-06-26 16:58 ` Shuah Khan
2013-06-26 17:02 ` [ 00/95] 3.9.8-stable review Shuah Khan
2013-06-26 17:10 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130625183519.437772190@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).