• Wei Yongjun's avatar
    [NET]: Fix function put_cmsg() which may cause usr application memory overflow · 1ac70e7a
    Wei Yongjun authored
    When used function put_cmsg() to copy kernel information to user 
    application memory, if the memory length given by user application is 
    not enough, by the bad length calculate of msg.msg_controllen, 
    put_cmsg() function may cause the msg.msg_controllen to be a large 
    value, such as 0xFFFFFFF0, so the following put_cmsg() can also write 
    data to usr application memory even usr has no valid memory to store 
    this. This may cause usr application memory overflow.
    
    int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
    {
        struct cmsghdr __user *cm
            = (__force struct cmsghdr __user *)msg->msg_control;
        struct cmsghdr cmhdr;
        int cmlen = CMSG_LEN(len);
        ~~~~~~~~~~~~~~~~~~~~~
        int err;
    
        if (MSG_CMSG_COMPAT & msg->msg_flags)
            return put_cmsg_compat(msg, level, type, len, data);
    
        if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
            msg->msg_flags |= MSG_CTRUNC;
            ret...
    1ac70e7a
scm.c 6.56 KB