Fix unsafe pointer access in sendmsg/sendmmsg

kernel.spec

@@ -42,7 +42,7 @@ Summary: The Linux kernel
 # When changing real_sublevel below, reset this by hand to 1
 # (or to 0 and then use rpmdev-bumpspec).
 #
-%global baserelease 3
+%global baserelease 4
 %global fedora_build %{baserelease}
 
 # real_sublevel is the 3.x kernel version we're starting with
@@ -680,6 +680,9 @@ Patch21004: vfs-fix-automount-for-negative-autofs-dentries.patch
 # rhbz#727927 rhbz#731278 rhbz#732934
 Patch21005: cifs-fix-ERR_PTR-dereference-in-cifs_get_root.patch
 
+# from 3.0.5 patch queue
+Patch21006: sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1229,6 +1232,9 @@ ApplyPatch vfs-fix-automount-for-negative-autofs-dentries.patch
 # cifs-possible-memory-corruption-on-mount.patch is already queued for 3.0.4
 ApplyPatch cifs-fix-ERR_PTR-dereference-in-cifs_get_root.patch
 
+# from 3.0.5 patch queue
+ApplyPatch sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -1849,6 +1855,9 @@ fi
 # and build.
 
 %changelog
+* Tue Aug 30 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.40.4-4
+- Fix unsafe pointer access in sendmsg/sendmmsg
+
 * Mon Aug 29 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.40.4-3
 - Linux 3.0.4
 

sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch

@@ -0,0 +1,60 @@
+From bc909d9ddbf7778371e36a651d6e4194b1cc7d4c Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Wed, 24 Aug 2011 19:45:03 -0700
+Subject: sendmmsg/sendmsg: fix unsafe user pointer access
+
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+
+commit bc909d9ddbf7778371e36a651d6e4194b1cc7d4c upstream.
+
+Dereferencing a user pointer directly from kernel-space without going
+through the copy_from_user family of functions is a bad idea. Two of
+such usages can be found in the sendmsg code path called from sendmmsg,
+added by
+
+commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream.
+commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree.
+
+Usages are performed through memcmp() and memcpy() directly. Fix those
+by using the already copied msg_sys structure instead of the __user *msg
+structure. Note that msg_sys can be set to NULL by verify_compat_iovec()
+or verify_iovec(), which requires additional NULL pointer checks.
+
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: David Goulet <dgoulet@ev0ke.net>
+CC: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+CC: Anton Blanchard <anton@samba.org>
+CC: David S. Miller <davem@davemloft.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/socket.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1965,8 +1965,9 @@ static int __sys_sendmsg(struct socket *
+ 	 * used_address->name_len is initialized to UINT_MAX so that the first
+ 	 * destination address never matches.
+ 	 */
+-	if (used_address && used_address->name_len == msg_sys->msg_namelen &&
+-	    !memcmp(&used_address->name, msg->msg_name,
++	if (used_address && msg_sys->msg_name &&
++	    used_address->name_len == msg_sys->msg_namelen &&
++	    !memcmp(&used_address->name, msg_sys->msg_name,
+ 		    used_address->name_len)) {
+ 		err = sock_sendmsg_nosec(sock, msg_sys, total_len);
+ 		goto out_freectl;
+@@ -1978,8 +1979,9 @@ static int __sys_sendmsg(struct socket *
+ 	 */
+ 	if (used_address && err >= 0) {
+ 		used_address->name_len = msg_sys->msg_namelen;
+-		memcpy(&used_address->name, msg->msg_name,
+-		       used_address->name_len);
++		if (msg_sys->msg_name)
++			memcpy(&used_address->name, msg_sys->msg_name,
++			       used_address->name_len);
+ 	}
+ 
+ out_freectl: