[PATCH 9/9] [PATCH] 32bit sendmsg() flaw (CAN-2005-2490)

[PATCH 9/9] [PATCH] 32bit sendmsg() flaw (CAN-2005-2490)

Post by Chris Wrig » Sat, 10 Sep 2005 15:50:11


Chris Wright ( XXXX@XXXXX.COM ) wrote:

Minor update from David Miller for clean sparc64 build.

diff --git a/include/net/compat.h b/include/net/compat.h
--- a/include/net/compat.h
+++ b/include/net/compat.h
@@ -33,7 +33,8 @@ extern asmlinkage long compat_sys_sendms
extern asmlinkage long compat_sys_recvmsg(int,struct compat_msghdr __user *,unsigned);
extern asmlinkage long compat_sys_getsockopt(int, int, int, char __user *, int __user *);
extern int put_cmsg_compat(struct msghdr*, int, int, int, void *);
-extern int cmsghdr_from_user_compat_to_kern(struct msghdr *, struct sock *, unsigned char *,
- int);
+
+struct sock;
+extern int cmsghdr_from_user_compat_to_kern(struct msghdr *, struct sock *, unsigned char *, int);

#endif /* NET_COMPAT_H */



Full updated patch
------

When we copy 32bit ->msg_control contents to kernel, we walk the same
userland data twice without sanity checks on the second pass.

Second version of this patch: the original broke with 64-bit arches
running 32-bit-compat-mode executables doing sendmsg() syscalls with
unaligned CMSG data areas

Another thing is that we use kmalloc() to allocate and sock_kfree_s()
to free afterwards; less serious, but also needs fixing.

Patch by Al Viro, David Miller, David Woodhouse
(sparc64 clean compile fix from David Miller)

Signed-off-by: Al Viro < XXXX@XXXXX.COM >
Signed-off-by: David Woodhouse < XXXX@XXXXX.COM >
Signed-off-by: Chris Wright < XXXX@XXXXX.COM >
---
include/net/compat.h | 5 +++--
net/compat.c | 44 ++++++++++++++++++++++++++------------------
net/socket.c | 3 ++-
3 files changed, 31 insertions(+), 21 deletions(-)

Index: linux-2.6.13.y/include/net/compat.h
===================================================================
--- linux-2.6.13.y.orig/include/net/compat.h
+++ linux-2.6.13.y/include/net/compat.h
@@ -33,7 +33,8 @@ extern asmlinkage long compat_sys_sendms
extern asmlinkage long compat_sys_recvmsg(int,struct compat_msghdr __user *,unsigned);
extern asmlinkage long compat_sys_getsockopt(int, int, int, char __user *, int __user *);
extern int put_cmsg_compat(struct msghdr*, int, int, int, void *);
-extern int cmsghdr_from_user_compat_to_kern(struct msghdr *, unsigned char *,
- int);
+
+struct sock;
+extern int cmsghdr_from_user_compat_to_kern(struct msghdr *, struct sock *, unsigned char *, int);

#endif /* NET_COMPAT_H */
Index: linux-2.6.13.y/net/compat.c
===================================================================
--- linux-2.6.13.y.orig/net/compat.c
+++ linux-2.6.13.y/net/compat.c
@@ -135,13 +135,14 @@ static inline struct compat_cmsghdr __us
* thus placement) of cmsg headers and length are different for
* 32-bit apps. -DaveM
*/
-int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg,
+int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk,
unsigned char *stackbuf, int stackbuf_size)
{
struct compat_cmsghdr __user *ucmsg;
struct cmsghdr *kcmsg, *kcmsg_base;
compat_size_t ucmlen;
__kernel_size_t kcmlen, tmp;
+ int err = -EFAULT;

kcmlen = 0;
kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
@@ -156,6 +157,7 @@ int cmsghdr_from_user_compat_to_kern(str

tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) +
CMSG_ALIGN(sizeof(struct cmsghdr)));
+ tmp = CMSG_ALIGN(tmp);
kcmlen += tmp;
ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen);
 
 
 

1. [News] [Rival] Days After Microsoft's Disastrous Patch Tuesday, More "Critical" Patches/Flaws Emerge

2. [News] Microsoft Postpones Patching of Critical Flaw it Introduced in Previous Patch

Microsoft Postpones IE Re-Patch 'Indefinitely'

,----[ Quote ]
| But now, it's uncertain when and if Microsoft will repatch the IE patch.
| Microsoft is citing software distribution problems involving corporate
| patching systems for the postponement. Meanwhile, making matters worse,
| the original IE patch that Microsoft was going to fix has introduced a
| new exploitable vulnerability, according to eEye Digital Security.
`----

http://www.yqcomputer.com/ ,1995,2007448,00.asp?kc=MWRSS02129TX1K0000535

In the mean time, Windows can potentially be hijacked.

3. Download patch download patch more patch patch patch

4. Mobile 2005 Patch or UTStarcom 6700 Patch.

5. changed behaviour of sendmsg after solaris patch 127127-11 - where to get info?

6. Patching the Patch that Patched the Patch

7. Patch to Fix Patched Fix Patched with Fixed Patch Fix Patcher

8. Is it possible to sync my iPAQ 2490 with Windows Live Mail?

9. Is the Adpatec aha-2490 scsi card suitable for a coolscan ls-1000?

10. iPAQ 2490 comments

11. WM5 (iPAQ 2490) & Motorola Razr

12. Peal PLayer & iPAQ 2490

13. azerty to qwerty for IPAQ 2490

14. CF slot disabled after iPAQ 2490 is turned off & will not reac

15. Problem printing forms on a Lexmark 2490