linux/net
Wei Yongjun 1ac70e7ad2 [NET]: Fix function put_cmsg() which may cause usr application memory overflow
When used function put_cmsg() to copy kernel information to user 
application memory, if the memory length given by user application is 
not enough, by the bad length calculate of msg.msg_controllen, 
put_cmsg() function may cause the msg.msg_controllen to be a large 
value, such as 0xFFFFFFF0, so the following put_cmsg() can also write 
data to usr application memory even usr has no valid memory to store 
this. This may cause usr application memory overflow.

int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
{
    struct cmsghdr __user *cm
        = (__force struct cmsghdr __user *)msg->msg_control;
    struct cmsghdr cmhdr;
    int cmlen = CMSG_LEN(len);
    ~~~~~~~~~~~~~~~~~~~~~
    int err;

    if (MSG_CMSG_COMPAT & msg->msg_flags)
        return put_cmsg_compat(msg, level, type, len, data);

    if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
        msg->msg_flags |= MSG_CTRUNC;
        return 0; /* XXX: return error? check spec. */
    }
    if (msg->msg_controllen < cmlen) {
    ~~~~~~~~~~~~~~~~~~~~~~~~
        msg->msg_flags |= MSG_CTRUNC;
        cmlen = msg->msg_controllen;
    }
    cmhdr.cmsg_level = level;
    cmhdr.cmsg_type = type;
    cmhdr.cmsg_len = cmlen;

    err = -EFAULT;
    if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
        goto out;
    if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
        goto out;
    cmlen = CMSG_SPACE(len);
~~~~~~~~~~~~~~~~~~~~~~~~~~~
    If MSG_CTRUNC flags is set, msg->msg_controllen is less than 
CMSG_SPACE(len), "msg->msg_controllen -= cmlen" will cause unsinged int 
type msg->msg_controllen to be a large value.
~~~~~~~~~~~~~~~~~~~~~~~~~~~
    msg->msg_control += cmlen;
    msg->msg_controllen -= cmlen;
    ~~~~~~~~~~~~~~~~~~~~~
    err = 0;
out:
    return err;
}

The same promble exists in put_cmsg_compat(). This patch can fix this 
problem.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-20 14:36:44 -08:00
..
9p 9p: add missing end-of-options record for trans_fd 2007-11-06 08:02:53 -06:00
802 [NET]: Move hardware header operations out of netdevice. 2007-10-10 16:52:52 -07:00
8021q [VLAN]: Fix potential race in vlan_cleanup_module vs vlan_ioctl_handler. 2007-12-11 02:45:32 -08:00
appletalk [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
atm [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
ax25 [NET]: Correct two mistaken skb_reset_mac_header() conversions. 2007-12-20 00:25:54 -08:00
bluetooth [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
bridge [BRIDGE]: Assign random address. 2007-12-16 13:35:51 -08:00
core [NET]: Fix function put_cmsg() which may cause usr application memory overflow 2007-12-20 14:36:44 -08:00
dccp [DCCP]: Spelling fixes 2007-12-20 13:59:39 -08:00
decnet [DECNET]: dn_nl_deladdr() almost always returns no error 2007-11-30 23:43:31 +11:00
econet [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
ethernet [NET]: Validate device addr prior to interface-up 2007-10-23 21:27:50 -07:00
ieee80211 Merge branch 'fixes-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2007-11-30 23:29:27 +11:00
ipv4 [NETFILTER] ipv4: Spelling fixes 2007-12-20 14:05:03 -08:00
ipv6 [IPV6]: Spelling fixes 2007-12-20 14:01:35 -08:00
ipx [IPX]: Use existing sock refcnt debugging infrastructure 2007-11-10 21:39:26 -08:00
irda [IRDA]: Spelling fixes 2007-12-20 14:00:51 -08:00
iucv [S390] Explicitly code allocpercpu calls in iucv 2007-11-20 11:13:47 +01:00
key [IPSEC]: Avoid undefined shift operation when testing algorithm ID 2007-12-19 23:44:29 -08:00
lapb [PATCH] remove many unneeded #includes of sched.h 2007-02-14 08:09:54 -08:00
llc [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
mac80211 NET: mac80211: fix inappropriate memory freeing 2007-12-19 16:43:47 -08:00
netfilter [NETFILTER]: Spelling fixes 2007-12-20 14:04:24 -08:00
netlabel [NETLABEL]: Spelling fixes 2007-12-20 14:03:11 -08:00
netlink [NET]: Move unneeded data to initdata section. 2007-11-13 03:23:50 -08:00
netrom [NET]: Correct two mistaken skb_reset_mac_header() conversions. 2007-12-20 00:25:54 -08:00
packet [AF_PACKET]: Fix minor code duplication 2007-11-12 21:05:20 -08:00
rfkill rfkill: fix double-mutex-locking 2007-11-29 18:08:48 -05:00
rose [ROSE]: Trivial compilation CONFIG_INET=n case 2007-12-05 05:37:28 -08:00
rxrpc [AF_RXRPC]: Add a missing goto 2007-12-07 04:31:47 -08:00
sched [PKT_SCHED]: Spelling fixes 2007-12-20 14:02:40 -08:00
sctp [SCTP]: Spelling fixes 2007-12-20 14:03:52 -08:00
sunrpc SUNRPC xprtrdma: fix XDR tail buf marshalling for all ops 2007-12-11 22:01:59 -05:00
tipc [TIPC]: Fix semaphore handling. 2007-12-14 13:54:37 -08:00
unix [UNIX]: EOF on non-blocking SOCK_SEQPACKET 2007-11-29 23:19:23 +11:00
wanrouter [NET]: Make /proc/net per network namespace 2007-10-10 16:49:06 -07:00
wireless [WIRELESS] WEXT: Fix userspace corruption on 64-bit. 2007-11-20 03:29:53 -08:00
x25 [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
xfrm [XFRM]: Audit function arguments misordered 2007-12-20 00:00:45 -08:00
compat.c [NET]: Fix function put_cmsg() which may cause usr application memory overflow 2007-12-20 14:36:44 -08:00
Kconfig [NET]: Add network namespace clone & unshare support. 2007-10-10 16:52:46 -07:00
Makefile 9p: Reorganization of 9p file system code 2007-07-14 15:13:40 -05:00
nonet.c [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
socket.c [NET]: Add the helper kernel_sock_shutdown() 2007-11-12 18:10:39 -08:00
sysctl_net.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
TUNABLE