diff options
| author | Jordan Rife <jrife@google.com> | 2023-09-21 18:46:41 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2023-10-01 19:31:29 +0100 |
| commit | 86a7e0b69bd5b812e48a20c66c2161744f3caa16 (patch) | |
| tree | fbb4c28fe642bd7539a0872a862398f2c38072b4 /scripts/faddr2line | |
| parent | 26297b4ce1ce4ea40bc9a48ec99f45da3f64d2e2 (diff) | |
| download | linux-stable-86a7e0b69bd5b812e48a20c66c2161744f3caa16.tar.gz linux-stable-86a7e0b69bd5b812e48a20c66c2161744f3caa16.tar.bz2 linux-stable-86a7e0b69bd5b812e48a20c66c2161744f3caa16.zip | |
net: prevent rewrite of msg_name in sock_sendmsg()
Callers of sock_sendmsg(), and similarly kernel_sendmsg(), in kernel
space may observe their value of msg_name change in cases where BPF
sendmsg hooks rewrite the send address. This has been confirmed to break
NFS mounts running in UDP mode and has the potential to break other
systems.
This patch:
1) Creates a new function called __sock_sendmsg() with same logic as the
old sock_sendmsg() function.
2) Replaces calls to sock_sendmsg() made by __sys_sendto() and
__sys_sendmsg() with __sock_sendmsg() to avoid an unnecessary copy,
as these system calls are already protected.
3) Modifies sock_sendmsg() so that it makes a copy of msg_name if
present before passing it down the stack to insulate callers from
changes to the send address.
Link: https://lore.kernel.org/netdev/20230912013332.2048422-1-jrife@google.com/
Fixes: 1cedee13d25a ("bpf: Hooks for sys_sendmsg")
Cc: stable@vger.kernel.org
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Jordan Rife <jrife@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'scripts/faddr2line')
0 files changed, 0 insertions, 0 deletions