Re: [PATCH 3.1-rc3/3.0.3] sendmmsg/sendmsg: fix unsafe userpointer access
From: David Miller
Date: Wed Aug 24 2011 - 22:45:41 EST
From: Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx>
Date: Wed, 24 Aug 2011 22:39:40 -0400
> Dereferencing a user pointer directly from kernel-space without going
> through the copy_from_user family of functions is a bad idea. Two of
> such usages can be found in the sendmsg code path called from sendmmsg,
> added by
>
> commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream.
> commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree.
>
> Usages are performed through memcmp() and memcpy() directly. Fix those
> by using the already copied msg_sys structure instead of the __user *msg
> structure. Note that msg_sys can be set to NULL by verify_compat_iovec()
> or verify_iovec(), which requires additional NULL pointer checks.
>
> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx>
> Signed-off-by: David Goulet <dgoulet@xxxxxxxxx>
> CC: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
> CC: Anton Blanchard <anton@xxxxxxxxx>
> CC: David S. Miller <davem@xxxxxxxxxxxxx>
> CC: stable <stable@xxxxxxxxxx>
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/