RE: [PATCH] Fix memory overwriting issue when copy an address to user space

From: David Laight
Date: Mon Jul 20 2020 - 11:12:37 EST

Next message: åçæ (Zhou Yanjie): "[PATCH v9 2/2] clocksource: Ingenic: Add support for the Ingenic X1000 OST."
Previous message: Dmitry Osipenko: "Re: [Patch v1 2/4] dma: tegra: Adding Tegra GPC DMA controller driver"
In reply to: lebon zhou: "[PATCH] Fix memory overwriting issue when copy an address to user space"
Next in thread: lebon zhou: "[PATCH] Fix memory overwriting issue when copy an address to user space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: lebon zhou
> Sent: 20 July 2020 05:35
> To: davem@xxxxxxxxxxxxx; kuba@xxxxxxxxxx
> Cc: linux-kernel@xxxxxxxxxxxxxxx; netdev@xxxxxxxxxxxxxxx
> Subject: [PATCH] Fix memory overwriting issue when copy an address to user space
>
> When application provided buffer size less than sockaddr_storage, then
> kernel will overwrite some memory area which may cause memory corruption,
> e.g.: in recvmsg case, let msg_name=malloc(8) and msg_namelen=8, then
> usually application can call recvmsg successful but actually application
> memory get corrupted.

Where?
The copy_to_user() uses the short length provided by the user.
There is even a comment saying that if the address is truncated
the length returned to the user is the full length.

Maybe the application is reusing the msg without re-initialising
it properly.

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Next message: åçæ (Zhou Yanjie): "[PATCH v9 2/2] clocksource: Ingenic: Add support for the Ingenic X1000 OST."
Previous message: Dmitry Osipenko: "Re: [Patch v1 2/4] dma: tegra: Adding Tegra GPC DMA controller driver"
In reply to: lebon zhou: "[PATCH] Fix memory overwriting issue when copy an address to user space"
Next in thread: lebon zhou: "[PATCH] Fix memory overwriting issue when copy an address to user space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]