• Mathieu Desnoyers's avatar
    sendmmsg/sendmsg: fix unsafe user pointer access · bc909d9d
    Mathieu Desnoyers authored
    Dereferencing a user pointer directly from kernel-space without going
    through the copy_from_user family of functions is a bad idea. Two of
    such usages can be found in the sendmsg code path called from sendmmsg,
    added by
    
    commit c71d8ebe upstream.
    commit 5b47b803 in the 3.0-stable tree.
    
    Usages are performed through memcmp() and memcpy() directly. Fix those
    by using the already copied msg_sys structure instead of the __user *msg
    structure. Note that msg_sys can be set to NULL by verify_compat_iovec()
    or verify_iovec(), which requires additional NULL pointer checks.
    Signed-off-by: default avatarMathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Signed-off-by: default avatarDavid Goulet <dgoulet@ev0ke.net>
    CC: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    CC: Anton Blanchard <anton@samba.org>
    CC: David S. Miller <davem@davemloft.net>
    CC: stable <stable@kernel.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    bc909d9d
socket.c 81.7 KB