Re: [PATCH v2 01/18] netlink: make the check for "send from tx_ring" deterministic

[RFC][PATCHSET] more iov_iter conversion in net/* · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 01/18] netlink: make the check for "send from tx_ring" deterministic · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 03/18] rawv6_send_hdrinc(): pass msghdr · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 02/18] raw_send_hdrinc(): pass msghdr · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 04/18] propagate msghdr all way down to __qp_memcpy_to_queue() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 05/18] switch rxrpc_send_data() to iov_iter primitives · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 10/18] tipc ->sendmsg() conversion · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 08/18] convert tcp_sendmsg() to iov_iter primitives · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 11/18] bury net/core/iovec.c - nothing in there is used anymore · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 09/18] switch memcpy_fromiovec()/memcpy_fromiovecend() users to copy_from_iter() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 13/18] net/socket.c: fold do_sock_{read,write} into callers · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 12/18] switch af_alg_make_sg() to iov_iter · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 07/18] stash a pointer to msghdr in struct ping_fakehdr · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 06/18] make the users of rxrpc_kernel_send_data() set kvec-backed msg_iter properly · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 14/18] switch sockets to ->read_iter/->write_iter · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 17/18] vhost: don't bother copying iovecs in handle_rx(), kill memcpy_toiovecend() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 18/18] vhost: vhost_scsi_handle_vq() should just use copy_from_user() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 16/18] vhost: don't bother with copying iovec in handle_tx() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
[PATCH 15/18] switch vhost get_indirect() to iov_iter, kill memcpy_fromiovec() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
Re: [RFC][PATCHSET] more iov_iter conversion in net/* · Al Viro <viro@ZenIV.linux.org.uk> · 2015-01-31
Re: [RFC][PATCHSET] more iov_iter conversion in net/* · David Miller <davem@davemloft.net> · 2015-02-02
Re: [RFC][PATCHSET] more iov_iter conversion in net/* · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
Re: [RFC][PATCHSET] more iov_iter conversion in net/* · David Miller <davem@davemloft.net> · 2015-02-02
Re: [RFC][PATCHSET] more iov_iter conversion in net/* · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
[PATCH v2 12/18] crypto: switch af_alg_make_sg() to iov_iter · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
[PATCH v2 18/18] vhost: vhost_scsi_handle_vq() should just use copy_from_user() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
Re: [PATCH v2 18/18] vhost: vhost_scsi_handle_vq() should just use copy_from_user() · Nicholas A. Bellinger <hidden> · 2015-02-03
Re: [PATCH v2 18/18] vhost: vhost_scsi_handle_vq() should just use copy_from_user() · "Michael S. Tsirkin" <mst@redhat.com> · 2015-02-03
[PATCH v2 02/18] ipv4: raw_send_hdrinc(): pass msghdr · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
[PATCH v2 01/18] netlink: make the check for "send from tx_ring" deterministic · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
Re: [PATCH v2 01/18] netlink: make the check for "send from tx_ring" deterministic · Sergei Shtylyov <hidden> · 2015-02-02
Re: [PATCH v2 01/18] netlink: make the check for "send from tx_ring" deterministic · David Miller <davem@davemloft.net> · 2015-02-04
Re: [PATCH v2 01/18] netlink: make the check for "send from tx_ring" deterministic · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
[PATCH v3 12/18] crypto: switch af_alg_make_sg() to iov_iter · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
Re: [PATCH v3 12/18] crypto: switch af_alg_make_sg() to iov_iter · Stephan Mueller <hidden> · 2015-02-09
Re: [PATCH v3 12/18] crypto: switch af_alg_make_sg() to iov_iter · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-09
Re: [PATCH v3 12/18] crypto: switch af_alg_make_sg() to iov_iter · Stephan Mueller <hidden> · 2015-02-09
Re: [PATCH v3 12/18] crypto: switch af_alg_make_sg() to iov_iter · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-09
[PATCH v3 15/18] vhost: switch vhost get_indirect() to iov_iter, kill memcpy_fromiovec() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
Re: [PATCH v3 15/18] vhost: switch vhost get_indirect() to iov_iter, kill memcpy_fromiovec() · "Michael S. Tsirkin" <mst@redhat.com> · 2015-02-04
[PATCH v3 16/18] vhost: don't bother with copying iovec in handle_tx() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
Re: [PATCH v3 16/18] vhost: don't bother with copying iovec in handle_tx() · "Michael S. Tsirkin" <mst@redhat.com> · 2015-02-04
[PATCH v3 17/18] vhost: don't bother copying iovecs in handle_rx(), kill memcpy_toiovecend() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
Re: [PATCH v3 17/18] vhost: don't bother copying iovecs in handle_rx(), kill memcpy_toiovecend() · "Michael S. Tsirkin" <mst@redhat.com> · 2015-02-04
Re: [PATCH v3 17/18] vhost: don't bother copying iovecs in handle_rx(), kill memcpy_toiovecend() · "Michael S. Tsirkin" <mst@redhat.com> · 2015-02-04
[PATCH v3 18/18] vhost: vhost_scsi_handle_vq() should just use copy_from_user() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
Re: [PATCH v3 18/18] vhost: vhost_scsi_handle_vq() should just use copy_from_user() · "Michael S. Tsirkin" <mst@redhat.com> · 2015-02-04
[PATCH v3 01/18] netlink: make the check for "send from tx_ring" deterministic · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
[PATCH v3 03/18] ipv6: rawv6_send_hdrinc(): pass msghdr · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
[PATCH v3 02/18] ipv4: raw_send_hdrinc(): pass msghdr · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
[PATCH v3 04/18] vmci: propagate msghdr all way down to __qp_memcpy_to_queue() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
[PATCH v3 06/18] rxrpc: make the users of rxrpc_kernel_send_data() set kvec-backed msg_iter properly · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
[PATCH v3 05/18] rxrpc: switch rxrpc_send_data() to iov_iter primitives · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
[PATCH v3 07/18] ip: stash a pointer to msghdr in struct ping_fakehdr · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
[PATCH v3 09/18] net: switch memcpy_fromiovec()/memcpy_fromiovecend() users to copy_from_iter() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
[PATCH v3 14/18] net: switch sockets to ->read_iter/->write_iter · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
[PATCH v3 13/18] net/socket.c: fold do_sock_{read,write} into callers · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
[PATCH v3 11/18] net: bury net/core/iovec.c - nothing in there is used anymore · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
[PATCH v3 08/18] ip: convert tcp_sendmsg() to iov_iter primitives · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
[PATCH v3 10/18] tipc: tipc ->sendmsg() conversion · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-04
[PATCH v2 03/18] ipv6: rawv6_send_hdrinc(): pass msghdr · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
[PATCH v2 04/18] vmci: propagate msghdr all way down to __qp_memcpy_to_queue() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
[PATCH v2 07/18] ip: stash a pointer to msghdr in struct ping_fakehdr · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
[PATCH v2 05/18] rxrpc: switch rxrpc_send_data() to iov_iter primitives · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
[PATCH v2 06/18] rxrpc: make the users of rxrpc_kernel_send_data() set kvec-backed msg_iter properly · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
[PATCH v2 10/18] tipc: tipc ->sendmsg() conversion · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
[PATCH v2 13/18] net/socket.c: fold do_sock_{read,write} into callers · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
[PATCH v2 11/18] net: bury net/core/iovec.c - nothing in there is used anymore · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
[PATCH v2 09/18] net: switch memcpy_fromiovec()/memcpy_fromiovecend() users to copy_from_iter() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
[PATCH v2 08/18] ip: convert tcp_sendmsg() to iov_iter primitives · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
[PATCH v2 14/18] net: switch sockets to ->read_iter/->write_iter · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
[PATCH v2 15/18] vhost: switch vhost get_indirect() to iov_iter, kill memcpy_fromiovec() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
Re: [PATCH v2 15/18] vhost: switch vhost get_indirect() to iov_iter, kill memcpy_fromiovec() · "Michael S. Tsirkin" <mst@redhat.com> · 2015-02-03
[PATCH v2 16/18] vhost: don't bother with copying iovec in handle_tx() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
Re: [PATCH v2 16/18] vhost: don't bother with copying iovec in handle_tx() · "Michael S. Tsirkin" <mst@redhat.com> · 2015-02-03
[PATCH v2 17/18] vhost: don't bother copying iovecs in handle_rx(), kill memcpy_toiovecend() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-02
Re: [PATCH v2 17/18] vhost: don't bother copying iovecs in handle_rx(), kill memcpy_toiovecend() · "Michael S. Tsirkin" <mst@redhat.com> · 2015-02-03
Re: [PATCH v2 17/18] vhost: don't bother copying iovecs in handle_rx(), kill memcpy_toiovecend() · "Michael S. Tsirkin" <mst@redhat.com> · 2015-02-03
Re: [PATCH v2 17/18] vhost: don't bother copying iovecs in handle_rx(), kill memcpy_toiovecend() · "Michael S. Tsirkin" <mst@redhat.com> · 2015-02-03
Re: [PATCH v2 17/18] vhost: don't bother copying iovecs in handle_rx(), kill memcpy_toiovecend() · Al Viro <viro@ZenIV.linux.org.uk> · 2015-02-03

From: Sergei Shtylyov <hidden>
Date: 2015-02-02 13:14:17

Hello.

On 2/2/2015 10:59 AM, Al Viro wrote:

From: Al Viro <viro@zeniv.linux.org.uk>

As it is, zero msg_iovlen means that the first iovec in the kernel
array of iovecs is left uninitialized, so checking if its ->iov_base
is NULL is random.  Since the real users of that thing are doing
sendto(fd, NULL, 0, ...), they are getting msg_iovlen = 1 and
msg_iov[0] = {NULL, 0}, which is what this test is trying to catch.
As suggested by davem, let's just check that msg_iovlen was 1 and
msg_iov[0].iov_base was NULL - _that_ is well-defined and it catches
what we want to catch.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
  net/netlink/af_netlink.c | 4 ++++
  1 file changed, 4 insertions(+)

quoted hunk ↗ jump to hunk

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index a36777b..af51d58 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c

@@ -2298,7 +2298,11 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
  			goto out;
  	}

+        /* It's a really convoluted way for userland to ask for mmaped
+	 * sendmsg(), but that's what we've got...  */

    Hmm, not sure why DaveM hasn't commented on this broken comment formatting 
(perhaps he was going to fix it while applying?). The preferred comment style 
in the networking code is:

/* bla
  * bla
  */

WBR, Sergei

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help