Re: [patch v2] net: heap overflow in __audit_sockaddr()

question about klen in move_addr_to_user() · Dan Carpenter <hidden> · 2013-03-18
Re: question about klen in move_addr_to_user() · David Miller <davem@davemloft.net> · 2013-03-19
[patch] net: heap overflow in __audit_sockaddr() · Dan Carpenter <hidden> · 2013-10-02
Re: [patch] net: heap overflow in __audit_sockaddr() · Ben Hutchings <hidden> · 2013-10-02
Re: [patch] net: heap overflow in __audit_sockaddr() · Dan Carpenter <hidden> · 2013-10-02
[patch v2] net: heap overflow in __audit_sockaddr() · Dan Carpenter <hidden> · 2013-10-02
Re: [patch v2] net: heap overflow in __audit_sockaddr() · David Miller <davem@davemloft.net> · 2013-10-03
Re: [patch v2] net: heap overflow in __audit_sockaddr() · Eric Wong <hidden> · 2013-11-27
Re: [patch v2] net: heap overflow in __audit_sockaddr() · Hannes Frederic Sowa <hidden> · 2013-11-27
[patch] net: clamp ->msg_namelen instead of returning an error · Dan Carpenter <hidden> · 2013-11-27
Re: [patch] net: clamp ->msg_namelen instead of returning an error · Eric Wong <hidden> · 2013-11-27
Re: [patch] net: clamp ->msg_namelen instead of returning an error · Eric Dumazet <hidden> · 2013-11-27
Re: [patch] net: clamp ->msg_namelen instead of returning an error · David Miller <davem@davemloft.net> · 2013-11-29
Re: [patch v2] net: heap overflow in __audit_sockaddr() · Linus Torvalds <torvalds@linux-foundation.org> · 2013-11-27
Re: [patch v2] net: heap overflow in __audit_sockaddr() · Hannes Frederic Sowa <hidden> · 2013-11-27
RE: [patch v2] net: heap overflow in __audit_sockaddr() · David Laight <hidden> · 2013-11-27

From: Eric Wong <hidden>
Date: 2013-11-27 11:42:49

Dan Carpenter [off-list ref] wrote:

quoted hunk ↗ jump to hunk

--- a/net/socket.c
+++ b/net/socket.c

@@ -1964,6 +1964,16 @@ struct used_address {
 	unsigned int name_len;
 };
 
+static int copy_msghdr_from_user(struct msghdr *kmsg,
+				 struct msghdr __user *umsg)
+{
+	if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
+		return -EFAULT;
+	if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
+		return -EINVAL;
+	return 0;

Crap, this seems to break Ruby trunk :x
https://bugs.ruby-lang.org/issues/9124

I'm inclined to think Ruby is wrong to use a gigantic buffer, but this
may also break some other existing userspace code.  I'm not sure what
the best option since breaking userspace (even buggy userspace?) is not
taken lightly.

Is there a different way to fix this in the kernel?

Note: this doesn't affect a stable release of Ruby, yet.

(Not a Ruby developer myself, just occasional contributor).

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help