Re: [PATCH] fix double-fetch bug in sock_getsockopt()

From: David Miller
Date: Sat Jun 15 2019 - 16:37:33 EST

Next message: David Miller: "Re: [PATCH] net: ipva: fix uninitialized variable warning"
Previous message: Pavel Machek: "Re: [PATCH 4.19 080/118] ARM: dts: imx51: Specify IMX5_CLK_IPG as "ahb" clock to SDMA"
In reply to: JingYi Hou: "[PATCH] fix double-fetch bug in sock_getsockopt()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: JingYi Hou <houjingyi647@xxxxxxxxx>
Date: Thu, 13 Jun 2019 18:44:57 +0800

> In sock_getsockopt(), 'optlen' is fetched the first time from userspace.
> 'len < 0' is then checked. Then in condition 'SO_MEMINFO', 'optlen' is
> fetched the second time from userspace without check.
>
> if a malicious user can change it between two fetches may cause security
> problems or unexpected behaivor.
>
> To fix this, we need to recheck it in the second fetch.
>
> Signed-off-by: JingYi Hou <houjingyi647@xxxxxxxxx>

THere is no reason to fetch len a second time, so please just remove
the get_user() call here instead.

Also, please format your Subject line properly with appropriate subsystem
prefixes etc.

Next message: David Miller: "Re: [PATCH] net: ipva: fix uninitialized variable warning"
Previous message: Pavel Machek: "Re: [PATCH 4.19 080/118] ARM: dts: imx51: Specify IMX5_CLK_IPG as "ahb" clock to SDMA"
In reply to: JingYi Hou: "[PATCH] fix double-fetch bug in sock_getsockopt()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]