diff options
author | Mathieu Desnoyers <mathieu.desnoyers@efficios.com> | 2011-08-24 19:45:03 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-08-24 19:45:03 -0700 |
commit | bc909d9ddbf7778371e36a651d6e4194b1cc7d4c (patch) | |
tree | 45fb13261b012c61a64713ee13f5c7fe60a046dd /fs/binfmt_misc.c | |
parent | c6f59d13e24187ff95427a9f4a5a7e14fb8faf5a (diff) | |
download | linux-bc909d9ddbf7778371e36a651d6e4194b1cc7d4c.tar.gz linux-bc909d9ddbf7778371e36a651d6e4194b1cc7d4c.tar.bz2 linux-bc909d9ddbf7778371e36a651d6e4194b1cc7d4c.zip |
sendmmsg/sendmsg: fix unsafe user pointer access
Dereferencing a user pointer directly from kernel-space without going
through the copy_from_user family of functions is a bad idea. Two of
such usages can be found in the sendmsg code path called from sendmmsg,
added by
commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream.
commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree.
Usages are performed through memcmp() and memcpy() directly. Fix those
by using the already copied msg_sys structure instead of the __user *msg
structure. Note that msg_sys can be set to NULL by verify_compat_iovec()
or verify_iovec(), which requires additional NULL pointer checks.
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
CC: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
CC: Anton Blanchard <anton@samba.org>
CC: David S. Miller <davem@davemloft.net>
CC: stable <stable@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'fs/binfmt_misc.c')
0 files changed, 0 insertions, 0 deletions