diff options
author | Phil Blundell <philb@gnu.org> | 2010-11-24 14:51:47 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-11-24 14:51:47 -0500 |
commit | a27e13d370415add3487949c60810e36069a23a6 (patch) | |
tree | 072e0ba8e2d629c55be4ef6fa5ae318e2a351e2f | |
parent | 16c41745c7b92a243d0874f534c1655196c64b74 (diff) |
econet: fix CVE-2010-3848
Don't declare variable sized array of iovecs on the stack since this
could cause stack overflow if msg->msgiovlen is large. Instead, coalesce
the user-supplied data into a new buffer and use a single iovec for it.
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/econet/af_econet.c | 62 |
1 files changed, 31 insertions, 31 deletions
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c index d41ba8e56c10..13992e1d2726 100644 --- a/net/econet/af_econet.c +++ b/net/econet/af_econet.c | |||
@@ -31,6 +31,7 @@ | |||
31 | #include <linux/skbuff.h> | 31 | #include <linux/skbuff.h> |
32 | #include <linux/udp.h> | 32 | #include <linux/udp.h> |
33 | #include <linux/slab.h> | 33 | #include <linux/slab.h> |
34 | #include <linux/vmalloc.h> | ||
34 | #include <net/sock.h> | 35 | #include <net/sock.h> |
35 | #include <net/inet_common.h> | 36 | #include <net/inet_common.h> |
36 | #include <linux/stat.h> | 37 | #include <linux/stat.h> |
@@ -276,12 +277,12 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
276 | #endif | 277 | #endif |
277 | #ifdef CONFIG_ECONET_AUNUDP | 278 | #ifdef CONFIG_ECONET_AUNUDP |
278 | struct msghdr udpmsg; | 279 | struct msghdr udpmsg; |
279 | struct iovec iov[msg->msg_iovlen+1]; | 280 | struct iovec iov[2]; |
280 | struct aunhdr ah; | 281 | struct aunhdr ah; |
281 | struct sockaddr_in udpdest; | 282 | struct sockaddr_in udpdest; |
282 | __kernel_size_t size; | 283 | __kernel_size_t size; |
283 | int i; | ||
284 | mm_segment_t oldfs; | 284 | mm_segment_t oldfs; |
285 | char *userbuf; | ||
285 | #endif | 286 | #endif |
286 | 287 | ||
287 | /* | 288 | /* |
@@ -319,17 +320,17 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
319 | } | 320 | } |
320 | } | 321 | } |
321 | 322 | ||
322 | if (len + 15 > dev->mtu) { | ||
323 | mutex_unlock(&econet_mutex); | ||
324 | return -EMSGSIZE; | ||
325 | } | ||
326 | |||
327 | if (dev->type == ARPHRD_ECONET) { | 323 | if (dev->type == ARPHRD_ECONET) { |
328 | /* Real hardware Econet. We're not worthy etc. */ | 324 | /* Real hardware Econet. We're not worthy etc. */ |
329 | #ifdef CONFIG_ECONET_NATIVE | 325 | #ifdef CONFIG_ECONET_NATIVE |
330 | unsigned short proto = 0; | 326 | unsigned short proto = 0; |
331 | int res; | 327 | int res; |
332 | 328 | ||
329 | if (len + 15 > dev->mtu) { | ||
330 | mutex_unlock(&econet_mutex); | ||
331 | return -EMSGSIZE; | ||
332 | } | ||
333 | |||
333 | dev_hold(dev); | 334 | dev_hold(dev); |
334 | 335 | ||
335 | skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev), | 336 | skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev), |
@@ -405,6 +406,11 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
405 | return -ENETDOWN; /* No socket - can't send */ | 406 | return -ENETDOWN; /* No socket - can't send */ |
406 | } | 407 | } |
407 | 408 | ||
409 | if (len > 32768) { | ||
410 | err = -E2BIG; | ||
411 | goto error; | ||
412 | } | ||
413 | |||
408 | /* Make up a UDP datagram and hand it off to some higher intellect. */ | 414 | /* Make up a UDP datagram and hand it off to some higher intellect. */ |
409 | 415 | ||
410 | memset(&udpdest, 0, sizeof(udpdest)); | 416 | memset(&udpdest, 0, sizeof(udpdest)); |
@@ -436,36 +442,26 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
436 | 442 | ||
437 | /* tack our header on the front of the iovec */ | 443 | /* tack our header on the front of the iovec */ |
438 | size = sizeof(struct aunhdr); | 444 | size = sizeof(struct aunhdr); |
439 | /* | ||
440 | * XXX: that is b0rken. We can't mix userland and kernel pointers | ||
441 | * in iovec, since on a lot of platforms copy_from_user() will | ||
442 | * *not* work with the kernel and userland ones at the same time, | ||
443 | * regardless of what we do with set_fs(). And we are talking about | ||
444 | * econet-over-ethernet here, so "it's only ARM anyway" doesn't | ||
445 | * apply. Any suggestions on fixing that code? -- AV | ||
446 | */ | ||
447 | iov[0].iov_base = (void *)&ah; | 445 | iov[0].iov_base = (void *)&ah; |
448 | iov[0].iov_len = size; | 446 | iov[0].iov_len = size; |
449 | for (i = 0; i < msg->msg_iovlen; i++) { | 447 | |
450 | void __user *base = msg->msg_iov[i].iov_base; | 448 | userbuf = vmalloc(len); |
451 | size_t iov_len = msg->msg_iov[i].iov_len; | 449 | if (userbuf == NULL) { |
452 | /* Check it now since we switch to KERNEL_DS later. */ | 450 | err = -ENOMEM; |
453 | if (!access_ok(VERIFY_READ, base, iov_len)) { | 451 | goto error; |
454 | mutex_unlock(&econet_mutex); | ||
455 | return -EFAULT; | ||
456 | } | ||
457 | iov[i+1].iov_base = base; | ||
458 | iov[i+1].iov_len = iov_len; | ||
459 | size += iov_len; | ||
460 | } | 452 | } |
461 | 453 | ||
454 | iov[1].iov_base = userbuf; | ||
455 | iov[1].iov_len = len; | ||
456 | err = memcpy_fromiovec(userbuf, msg->msg_iov, len); | ||
457 | if (err) | ||
458 | goto error_free_buf; | ||
459 | |||
462 | /* Get a skbuff (no data, just holds our cb information) */ | 460 | /* Get a skbuff (no data, just holds our cb information) */ |
463 | if ((skb = sock_alloc_send_skb(sk, 0, | 461 | if ((skb = sock_alloc_send_skb(sk, 0, |
464 | msg->msg_flags & MSG_DONTWAIT, | 462 | msg->msg_flags & MSG_DONTWAIT, |
465 | &err)) == NULL) { | 463 | &err)) == NULL) |
466 | mutex_unlock(&econet_mutex); | 464 | goto error_free_buf; |
467 | return err; | ||
468 | } | ||
469 | 465 | ||
470 | eb = (struct ec_cb *)&skb->cb; | 466 | eb = (struct ec_cb *)&skb->cb; |
471 | 467 | ||
@@ -481,7 +477,7 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
481 | udpmsg.msg_name = (void *)&udpdest; | 477 | udpmsg.msg_name = (void *)&udpdest; |
482 | udpmsg.msg_namelen = sizeof(udpdest); | 478 | udpmsg.msg_namelen = sizeof(udpdest); |
483 | udpmsg.msg_iov = &iov[0]; | 479 | udpmsg.msg_iov = &iov[0]; |
484 | udpmsg.msg_iovlen = msg->msg_iovlen + 1; | 480 | udpmsg.msg_iovlen = 2; |
485 | udpmsg.msg_control = NULL; | 481 | udpmsg.msg_control = NULL; |
486 | udpmsg.msg_controllen = 0; | 482 | udpmsg.msg_controllen = 0; |
487 | udpmsg.msg_flags=0; | 483 | udpmsg.msg_flags=0; |
@@ -489,9 +485,13 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
489 | oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */ | 485 | oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */ |
490 | err = sock_sendmsg(udpsock, &udpmsg, size); | 486 | err = sock_sendmsg(udpsock, &udpmsg, size); |
491 | set_fs(oldfs); | 487 | set_fs(oldfs); |
488 | |||
489 | error_free_buf: | ||
490 | vfree(userbuf); | ||
492 | #else | 491 | #else |
493 | err = -EPROTOTYPE; | 492 | err = -EPROTOTYPE; |
494 | #endif | 493 | #endif |
494 | error: | ||
495 | mutex_unlock(&econet_mutex); | 495 | mutex_unlock(&econet_mutex); |
496 | 496 | ||
497 | return err; | 497 | return err; |