[kernel/f15: 1/2] Fix unsafe pointer access in sendmsg/sendmmsg

Chuck Ebbert cebbert at fedoraproject.org
Tue Aug 30 13:21:50 UTC 2011 

commit d6189c7ffdde4b405bc3f07b5ca801bcb8b8051d
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Tue Aug 30 09:18:58 2011 -0400

    Fix unsafe pointer access in sendmsg/sendmmsg

 kernel.spec                                        |   11 +++-
 ...sg-sendmsg-fix-unsafe-user-pointer-access.patch |   60 ++++++++++++++++++++
 2 files changed, 70 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 345b795..a4d9e5f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -42,7 +42,7 @@ Summary: The Linux kernel
 # When changing real_sublevel below, reset this by hand to 1
 # (or to 0 and then use rpmdev-bumpspec).
 #
-%global baserelease 3
+%global baserelease 4
 %global fedora_build %{baserelease}
 
 # real_sublevel is the 3.x kernel version we're starting with
@@ -680,6 +680,9 @@ Patch21004: vfs-fix-automount-for-negative-autofs-dentries.patch
 # rhbz#727927 rhbz#731278 rhbz#732934
 Patch21005: cifs-fix-ERR_PTR-dereference-in-cifs_get_root.patch
 
+# from 3.0.5 patch queue
+Patch21006: sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1229,6 +1232,9 @@ ApplyPatch vfs-fix-automount-for-negative-autofs-dentries.patch
 # cifs-possible-memory-corruption-on-mount.patch is already queued for 3.0.4
 ApplyPatch cifs-fix-ERR_PTR-dereference-in-cifs_get_root.patch
 
+# from 3.0.5 patch queue
+ApplyPatch sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -1849,6 +1855,9 @@ fi
 # and build.
 
 %changelog
+* Tue Aug 30 2011 Chuck Ebbert <cebbert at redhat.com> 2.6.40.4-4
+- Fix unsafe pointer access in sendmsg/sendmmsg
+
 * Mon Aug 29 2011 Chuck Ebbert <cebbert at redhat.com> 2.6.40.4-3
 - Linux 3.0.4
 
diff --git a/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch b/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
new file mode 100644
index 0000000..0f85bd9
--- /dev/null
+++ b/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
@@ -0,0 +1,60 @@
+From bc909d9ddbf7778371e36a651d6e4194b1cc7d4c Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
+Date: Wed, 24 Aug 2011 19:45:03 -0700
+Subject: sendmmsg/sendmsg: fix unsafe user pointer access
+
+From: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
+
+commit bc909d9ddbf7778371e36a651d6e4194b1cc7d4c upstream.
+
+Dereferencing a user pointer directly from kernel-space without going
+through the copy_from_user family of functions is a bad idea. Two of
+such usages can be found in the sendmsg code path called from sendmmsg,
+added by
+
+commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream.
+commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree.
+
+Usages are performed through memcmp() and memcpy() directly. Fix those
+by using the already copied msg_sys structure instead of the __user *msg
+structure. Note that msg_sys can be set to NULL by verify_compat_iovec()
+or verify_iovec(), which requires additional NULL pointer checks.
+
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
+Signed-off-by: David Goulet <dgoulet at ev0ke.net>
+CC: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+CC: Anton Blanchard <anton at samba.org>
+CC: David S. Miller <davem at davemloft.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ net/socket.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1965,8 +1965,9 @@ static int __sys_sendmsg(struct socket *
+ 	 * used_address->name_len is initialized to UINT_MAX so that the first
+ 	 * destination address never matches.
+ 	 */
+-	if (used_address && used_address->name_len == msg_sys->msg_namelen &&
+-	    !memcmp(&used_address->name, msg->msg_name,
++	if (used_address && msg_sys->msg_name &&
++	    used_address->name_len == msg_sys->msg_namelen &&
++	    !memcmp(&used_address->name, msg_sys->msg_name,
+ 		    used_address->name_len)) {
+ 		err = sock_sendmsg_nosec(sock, msg_sys, total_len);
+ 		goto out_freectl;
+@@ -1978,8 +1979,9 @@ static int __sys_sendmsg(struct socket *
+ 	 */
+ 	if (used_address && err >= 0) {
+ 		used_address->name_len = msg_sys->msg_namelen;
+-		memcpy(&used_address->name, msg->msg_name,
+-		       used_address->name_len);
++		if (msg_sys->msg_name)
++			memcpy(&used_address->name, msg_sys->msg_name,
++			       used_address->name_len);
+ 	}
+ 
+ out_freectl:

More information about the scm-commits mailing list