This is a note to let you know that I've just added the patch titled sendmmsg/sendmsg: fix unsafe user pointer access
to the 3.0-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch and it can be found in the queue-3.0 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <sta...@kernel.org> know about it. >From bc909d9ddbf7778371e36a651d6e4194b1cc7d4c Mon Sep 17 00:00:00 2001 From: Mathieu Desnoyers <mathieu.desnoy...@efficios.com> Date: Wed, 24 Aug 2011 19:45:03 -0700 Subject: sendmmsg/sendmsg: fix unsafe user pointer access From: Mathieu Desnoyers <mathieu.desnoy...@efficios.com> commit bc909d9ddbf7778371e36a651d6e4194b1cc7d4c upstream. Dereferencing a user pointer directly from kernel-space without going through the copy_from_user family of functions is a bad idea. Two of such usages can be found in the sendmsg code path called from sendmmsg, added by commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream. commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree. Usages are performed through memcmp() and memcpy() directly. Fix those by using the already copied msg_sys structure instead of the __user *msg structure. Note that msg_sys can be set to NULL by verify_compat_iovec() or verify_iovec(), which requires additional NULL pointer checks. Signed-off-by: Mathieu Desnoyers <mathieu.desnoy...@efficios.com> Signed-off-by: David Goulet <dgou...@ev0ke.net> CC: Tetsuo Handa <penguin-ker...@i-love.sakura.ne.jp> CC: Anton Blanchard <an...@samba.org> CC: David S. Miller <da...@davemloft.net> Signed-off-by: David S. Miller <da...@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gre...@suse.de> --- net/socket.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/net/socket.c +++ b/net/socket.c @@ -1965,8 +1965,9 @@ static int __sys_sendmsg(struct socket * * used_address->name_len is initialized to UINT_MAX so that the first * destination address never matches. */ - if (used_address && used_address->name_len == msg_sys->msg_namelen && - !memcmp(&used_address->name, msg->msg_name, + if (used_address && msg_sys->msg_name && + used_address->name_len == msg_sys->msg_namelen && + !memcmp(&used_address->name, msg_sys->msg_name, used_address->name_len)) { err = sock_sendmsg_nosec(sock, msg_sys, total_len); goto out_freectl; @@ -1978,8 +1979,9 @@ static int __sys_sendmsg(struct socket * */ if (used_address && err >= 0) { used_address->name_len = msg_sys->msg_namelen; - memcpy(&used_address->name, msg->msg_name, - used_address->name_len); + if (msg_sys->msg_name) + memcpy(&used_address->name, msg_sys->msg_name, + used_address->name_len); } out_freectl: Patches currently in stable-queue which might be from mathieu.desnoy...@efficios.com are queue-3.0/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch _______________________________________________ stable mailing list stable@linux.kernel.org http://linux.kernel.org/mailman/listinfo/stable