From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Marc Dionne <marc.dionne@auristor.com>,
Willem de Bruijn <willemb@google.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 26/59] net: Save and restore msg_namelen in sock_sendmsg
Date: Sat, 13 Jan 2024 10:49:57 +0100 [thread overview]
Message-ID: <20240113094210.112784376@linuxfoundation.org> (raw)
In-Reply-To: <20240113094209.301672391@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Dionne <marc.dionne@auristor.com>
[ Upstream commit 01b2885d9415152bcb12ff1f7788f500a74ea0ed ]
Commit 86a7e0b69bd5 ("net: prevent rewrite of msg_name in
sock_sendmsg()") made sock_sendmsg save the incoming msg_name pointer
and restore it before returning, to insulate the caller against
msg_name being changed by the called code. If the address length
was also changed however, we may return with an inconsistent structure
where the length doesn't match the address, and attempts to reuse it may
lead to lost packets.
For example, a kernel that doesn't have commit 1c5950fc6fe9 ("udp6: fix
potential access to stale information") will replace a v4 mapped address
with its ipv4 equivalent, and shorten namelen accordingly from 28 to 16.
If the caller attempts to reuse the resulting msg structure, it will have
the original ipv6 (v4 mapped) address but an incorrect v4 length.
Fixes: 86a7e0b69bd5 ("net: prevent rewrite of msg_name in sock_sendmsg()")
Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/socket.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/socket.c b/net/socket.c
index 57c2b78b446b5..f7cfc703bd213 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -728,6 +728,7 @@ int sock_sendmsg(struct socket *sock, struct msghdr *msg)
{
struct sockaddr_storage *save_addr = (struct sockaddr_storage *)msg->msg_name;
struct sockaddr_storage address;
+ int save_len = msg->msg_namelen;
int ret;
if (msg->msg_name) {
@@ -737,6 +738,7 @@ int sock_sendmsg(struct socket *sock, struct msghdr *msg)
ret = __sock_sendmsg(sock, msg);
msg->msg_name = save_addr;
+ msg->msg_namelen = save_len;
return ret;
}
--
2.43.0
next prev parent reply other threads:[~2024-01-13 10:01 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-13 9:49 [PATCH 5.15 00/59] 5.15.147-rc1 review Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 01/59] keys, dns: Fix missing size check of V1 server-list header Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 02/59] block: Dont invalidate pagecache for invalid falloc modes Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 03/59] ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP ProBook 440 G6 Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 04/59] Revert "PCI/ASPM: Remove pcie_aspm_pm_state_change()" Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 05/59] wifi: iwlwifi: pcie: dont synchronize IRQs from IRQ Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 06/59] drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX xfer Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 07/59] nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 08/59] octeontx2-af: Fix marking couple of structure as __packed Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 09/59] drm/i915/dp: Fix passing the correct DPCD_REV for drm_dp_set_phy_test_pattern Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 10/59] i40e: Fix filter input checks to prevent config with invalid values Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 11/59] igc: Report VLAN EtherType matching back to user Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 12/59] igc: Check VLAN TCI mask Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 13/59] igc: Check VLAN EtherType mask Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 14/59] ASoC: fsl_rpmsg: Fix error handler with pm_runtime_enable Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 15/59] mlxbf_gige: fix receive packet race condition Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 16/59] net: sched: em_text: fix possible memory leak in em_text_destroy() Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 17/59] r8169: Fix PCI error on system resume Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 18/59] net: Implement missing getsockopt(SO_TIMESTAMPING_NEW) Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 19/59] can: raw: add support for SO_TXTIME/SCM_TXTIME Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 20/59] can: raw: add support for SO_MARK Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 21/59] net-timestamp: extend SOF_TIMESTAMPING_OPT_ID to HW timestamps Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 22/59] ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 23/59] sfc: fix a double-free bug in efx_probe_filters Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 24/59] net: bcmgenet: Fix FCS generation for fragmented skbuffs Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 25/59] netfilter: nft_immediate: drop chain reference counter on error Greg Kroah-Hartman
2024-01-13 9:49 ` Greg Kroah-Hartman [this message]
2024-01-13 9:49 ` [PATCH 5.15 27/59] i40e: fix use-after-free in i40e_aqc_add_filters() Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 28/59] ASoC: meson: g12a-toacodec: Validate written enum values Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 29/59] ASoC: meson: g12a-tohdmitx: " Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 30/59] ASoC: meson: g12a-toacodec: Fix event generation Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 31/59] ASoC: meson: g12a-tohdmitx: Fix event generation for S/PDIF mux Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 32/59] i40e: Restore VF MSI-X state during PCI reset Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 33/59] igc: Fix hicredit calculation Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 34/59] net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 35/59] octeontx2-af: Dont enable Pause frames by default Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 36/59] octeontx2-af: Set NIX link credits based on max LMAC Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 37/59] octeontx2-af: Always configure NIX TX link credits based on max frame size Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 38/59] octeontx2-af: Re-enable MAC TX in otx2_stop processing Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 39/59] asix: Add check for usbnet_get_endpoints Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 40/59] bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters() Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 41/59] net: Implement missing SO_TIMESTAMPING_NEW cmsg support Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 42/59] selftests: secretmem: floor the memory size to the multiple of page_size Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 43/59] mm/memory-failure: check the mapcount of the precise page Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 44/59] firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines and ASM108x/VT630x PCIe cards Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 45/59] x86/kprobes: fix incorrect return address calculation in kprobe_emulate_call_indirect Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 46/59] i2c: core: Fix atomic xfer check for non-preempt config Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 47/59] mm: fix unmap_mapping_range high bits shift bug Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 48/59] mmc: meson-mx-sdhc: Fix initialization frozen issue Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 49/59] mmc: rpmb: fixes pause retune on all RPMB partitions Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 50/59] mmc: core: Cancel delayed work before releasing host Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 51/59] mmc: sdhci-sprd: Fix eMMC init failure after hw reset Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 52/59] net: tls, update curr on splice as well Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 53/59] ipv6: remove max_size check inline with ipv4 Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 54/59] perf inject: Fix GEN_ELF_TEXT_OFFSET for jit Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 55/59] netfilter: nf_tables: Reject tables of unsupported family Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 56/59] kallsyms: Make module_kallsyms_on_each_symbol generally available Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 57/59] tracing/kprobes: Fix symbol counting logic by looking at modules as well Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 58/59] net: usb: ax88179_178a: remove redundant init code Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 59/59] net: usb: ax88179_178a: move priv to driver_priv Greg Kroah-Hartman
2024-01-13 18:42 ` [PATCH 5.15 00/59] 5.15.147-rc1 review SeongJae Park
2024-01-14 9:41 ` Ron Economos
2024-01-15 10:01 ` Naresh Kamboju
2024-01-15 10:23 ` Jon Hunter
2024-01-15 11:35 ` Shreeya Patel
2024-01-15 16:26 ` Harshit Mogalapalli
2024-01-15 19:09 ` Florian Fainelli
2024-01-15 19:47 ` Allen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240113094210.112784376@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=marc.dionne@auristor.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox