net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg - kernel/linux.git

diff options

author	Andy Lutomirski <luto@amacapital.net>	2013-05-23 01:07:44 +0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-06-27 21:39:01 +0400
commit	d47a8d585f15a1a7fff655c859bfd90a7fd6f560 (patch)
tree	30902e5af2bb955fb29effe353ba2fa95b3bc129 /net/core/sock.c
parent	791169e5924d35532443c9538e3ba0d49ef0de10 (diff)
download	linux-d47a8d585f15a1a7fff655c859bfd90a7fd6f560.tar.xz

net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg

[ Upstream commits 1be374a0518a288147c6a7398792583200a67261 and a7526eb5d06b0084ef12d7b168d008fcf516caab ] MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API -- it's a hack that steals a bit to indicate to other networking code that a compat entry was used. So don't allow it from a non-compat syscall. This prevents an oops when running this code: int main() { int s; struct sockaddr_in addr; struct msghdr *hdr; char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); if (highpage == MAP_FAILED) err(1, "mmap"); s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (s == -1) err(1, "socket"); addr.sin_family = AF_INET; addr.sin_port = htons(1); addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0) err(1, "connect"); void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE; printf("Evil address is %p\n", evil); if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0) err(1, "sendmmsg"); return 0; } Signed-off-by: Andy Lutomirski <luto@amacapital.net> Cc: David S. Miller <davem@davemloft.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'net/core/sock.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: