projects / firefly-linux-kernel-4.4.55.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f1d4422) | patch
sendmmsg/sendmsg: fix unsafe user pointer access
authorMathieu Desnoyers <mathieu.desnoyers@efficios.com>
Thu, 25 Aug 2011 02:45:03 +0000 (19:45 -0700)
committerGreg Kroah-Hartman <gregkh@suse.de>
Mon, 3 Oct 2011 18:39:54 +0000 (11:39 -0700)
commit5772ee1f183ddfb9386bc7792149d731dbba8725
treefd97036cb1bd9a3baa03d6b8df2c2b94f171f238tree | snapshot
parentf1d44226b60a7b28f949105e675ba84a09bcc9a7commit | diff
sendmmsg/sendmsg: fix unsafe user pointer access

commit bc909d9ddbf7778371e36a651d6e4194b1cc7d4c upstream.

Dereferencing a user pointer directly from kernel-space without going
through the copy_from_user family of functions is a bad idea. Two of
such usages can be found in the sendmsg code path called from sendmmsg,
added by

commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream.
commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree.

Usages are performed through memcmp() and memcpy() directly. Fix those
by using the already copied msg_sys structure instead of the __user *msg
structure. Note that msg_sys can be set to NULL by verify_compat_iovec()
or verify_iovec(), which requires additional NULL pointer checks.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
CC: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
CC: Anton Blanchard <anton@samba.org>
CC: David S. Miller <davem@davemloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
net/socket.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.