kernel-ark/net/core
Wei Yongjun 1ac70e7ad2 [NET]: Fix function put_cmsg() which may cause usr application memory overflow
When used function put_cmsg() to copy kernel information to user 
application memory, if the memory length given by user application is 
not enough, by the bad length calculate of msg.msg_controllen, 
put_cmsg() function may cause the msg.msg_controllen to be a large 
value, such as 0xFFFFFFF0, so the following put_cmsg() can also write 
data to usr application memory even usr has no valid memory to store 
this. This may cause usr application memory overflow.

int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
{
    struct cmsghdr __user *cm
        = (__force struct cmsghdr __user *)msg->msg_control;
    struct cmsghdr cmhdr;
    int cmlen = CMSG_LEN(len);
    ~~~~~~~~~~~~~~~~~~~~~
    int err;

    if (MSG_CMSG_COMPAT & msg->msg_flags)
        return put_cmsg_compat(msg, level, type, len, data);

    if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
        msg->msg_flags |= MSG_CTRUNC;
        return 0; /* XXX: return error? check spec. */
    }
    if (msg->msg_controllen < cmlen) {
    ~~~~~~~~~~~~~~~~~~~~~~~~
        msg->msg_flags |= MSG_CTRUNC;
        cmlen = msg->msg_controllen;
    }
    cmhdr.cmsg_level = level;
    cmhdr.cmsg_type = type;
    cmhdr.cmsg_len = cmlen;

    err = -EFAULT;
    if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
        goto out;
    if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
        goto out;
    cmlen = CMSG_SPACE(len);
~~~~~~~~~~~~~~~~~~~~~~~~~~~
    If MSG_CTRUNC flags is set, msg->msg_controllen is less than 
CMSG_SPACE(len), "msg->msg_controllen -= cmlen" will cause unsinged int 
type msg->msg_controllen to be a large value.
~~~~~~~~~~~~~~~~~~~~~~~~~~~
    msg->msg_control += cmlen;
    msg->msg_controllen -= cmlen;
    ~~~~~~~~~~~~~~~~~~~~~
    err = 0;
out:
    return err;
}

The same promble exists in put_cmsg_compat(). This patch can fix this 
problem.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-20 14:36:44 -08:00
..
datagram.c
dev_mcast.c [NET]: Move unneeded data to initdata section. 2007-11-13 03:23:50 -08:00
dev.c [NET] net/core/: Spelling fixes 2007-12-20 14:02:06 -08:00
dst.c [NET]: Removing duplicit #includes 2007-11-07 04:11:44 -08:00
ethtool.c
fib_rules.c [INET]: Small possible memory leak in FIB rules 2007-11-10 22:12:03 -08:00
filter.c
flow.c [NET]: Use BUILD_BUG_ON in net/core/flowi.c 2007-10-23 21:27:57 -07:00
gen_estimator.c
gen_stats.c
iovec.c
kmap_skb.h
link_watch.c
Makefile
neighbour.c [NET]: Remove /proc/net/stat/*_arp_cache upon module removal 2007-11-07 04:08:53 -08:00
net_namespace.c [NET]: Cleanup pernet operation without CONFIG_NET_NS 2007-11-13 03:23:21 -08:00
net-sysfs.c [NET]: Remove in-code externs for some functions from net/core/dev.c 2007-10-23 21:27:56 -07:00
net-sysfs.h [NET]: Remove in-code externs for some functions from net/core/dev.c 2007-10-23 21:27:56 -07:00
netevent.c
netpoll.c [NET]: Fix race between poll_napi() and net_rx_action() 2007-10-29 22:37:28 -07:00
pktgen.c [PKTGEN]: Fix double unlock of xfrm_state->lock 2007-11-19 22:51:24 -08:00
request_sock.c [INET]: Fix potential kfree on vmalloc-ed area of request_sock_queue 2007-11-15 02:57:06 -08:00
rtnetlink.c [NETNS]: Fix get_net_ns_by_pid 2007-10-26 22:56:12 -07:00
scm.c [NET]: Fix function put_cmsg() which may cause usr application memory overflow 2007-12-20 14:36:44 -08:00
skbuff.c [SKBUFF]: Free old skb properly in skb_morph 2007-11-26 23:11:19 +08:00
sock.c [NET]: Unexport sysctl_{r,w}mem_max. 2007-11-12 21:24:14 -08:00
stream.c
sysctl_net_core.c [NET]: Don't declare extern variables in net/core/sysctl_net_core.c 2007-10-23 21:27:56 -07:00
user_dma.c
utils.c