Commit afd86e97 authored by Dan Carpenter's avatar Dan Carpenter Committed by Willy Tarreau

net: heap overflow in __audit_sockaddr()

[ Upstream commit 1661bf36 ]

We need to cap ->msg_namelen or it leads to a buffer overflow when we
to the memcpy() in __audit_sockaddr().  It requires CAP_AUDIT_CONTROL to
exploit this bug.

The call tree is:
___sys_recvmsg()
  move_addr_to_user()
    audit_sockaddr()
      __audit_sockaddr()
Reported-by: default avatarJri Aedla <juri.aedla@gmail.com>
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
[wt: 2.6.32: msg_sys is a struct, not a pointer]
Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
parent 3e644055
...@@ -69,6 +69,8 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) ...@@ -69,6 +69,8 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
__get_user(kmsg->msg_controllen, &umsg->msg_controllen) || __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
__get_user(kmsg->msg_flags, &umsg->msg_flags)) __get_user(kmsg->msg_flags, &umsg->msg_flags))
return -EFAULT; return -EFAULT;
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
return -EINVAL;
kmsg->msg_name = compat_ptr(tmp1); kmsg->msg_name = compat_ptr(tmp1);
kmsg->msg_iov = compat_ptr(tmp2); kmsg->msg_iov = compat_ptr(tmp2);
kmsg->msg_control = compat_ptr(tmp3); kmsg->msg_control = compat_ptr(tmp3);
......
...@@ -1863,6 +1863,16 @@ SYSCALL_DEFINE2(shutdown, int, fd, int, how) ...@@ -1863,6 +1863,16 @@ SYSCALL_DEFINE2(shutdown, int, fd, int, how)
#define COMPAT_NAMELEN(msg) COMPAT_MSG(msg, msg_namelen) #define COMPAT_NAMELEN(msg) COMPAT_MSG(msg, msg_namelen)
#define COMPAT_FLAGS(msg) COMPAT_MSG(msg, msg_flags) #define COMPAT_FLAGS(msg) COMPAT_MSG(msg, msg_flags)
static int copy_msghdr_from_user(struct msghdr *kmsg,
struct msghdr __user *umsg)
{
if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
return -EFAULT;
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
return -EINVAL;
return 0;
}
/* /*
* BSD sendmsg interface * BSD sendmsg interface
*/ */
...@@ -1887,8 +1897,11 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags) ...@@ -1887,8 +1897,11 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
if (get_compat_msghdr(&msg_sys, msg_compat)) if (get_compat_msghdr(&msg_sys, msg_compat))
return -EFAULT; return -EFAULT;
} }
else if (copy_from_user(&msg_sys, msg, sizeof(struct msghdr))) else {
return -EFAULT; err = copy_msghdr_from_user(&msg_sys, msg);
if (err)
return err;
}
sock = sockfd_lookup_light(fd, &err, &fput_needed); sock = sockfd_lookup_light(fd, &err, &fput_needed);
if (!sock) if (!sock)
...@@ -1997,8 +2010,11 @@ SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg, ...@@ -1997,8 +2010,11 @@ SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
if (get_compat_msghdr(&msg_sys, msg_compat)) if (get_compat_msghdr(&msg_sys, msg_compat))
return -EFAULT; return -EFAULT;
} }
else if (copy_from_user(&msg_sys, msg, sizeof(struct msghdr))) else {
return -EFAULT; err = copy_msghdr_from_user(&msg_sys, msg);
if (err)
return err;
}
sock = sockfd_lookup_light(fd, &err, &fput_needed); sock = sockfd_lookup_light(fd, &err, &fput_needed);
if (!sock) if (!sock)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment