linux/net
Andy Lutomirski 1be374a051 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>, netdev@vger.kernel.org, "David S.
	Miller" <davem@davemloft.net>
Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg

MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
it's a hack that steals a bit to indicate to other networking code
that a compat entry was used.  So don't allow it from a non-compat
syscall.

This prevents an oops when running this code:

int main()
{
	int s;
	struct sockaddr_in addr;
	struct msghdr *hdr;

	char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
	                      PROT_READ | PROT_WRITE,
	                      MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
	if (highpage == MAP_FAILED)
		err(1, "mmap");

	s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
	if (s == -1)
		err(1, "socket");

        addr.sin_family = AF_INET;
        addr.sin_port = htons(1);
        addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
	if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
		err(1, "connect");

	void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
	printf("Evil address is %p\n", evil);

	if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
		err(1, "sendmmsg");

	return 0;
}

Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-05-28 23:55:41 -07:00
..
9p Lots of virtio work which wasn't quite ready for last merge window. Plus 2013-05-02 14:14:04 -07:00
802 net/802/mrp: fix lockdep splat 2013-05-14 13:02:30 -07:00
8021q net: vlan,ethtool: netdev_features_t is more than 32 bit 2013-05-02 13:58:12 -04:00
appletalk
atm Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
ax25
batman-adv batman-adv: Avoid double freeing of bat_counters 2013-05-21 21:34:36 +02:00
bluetooth Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
bridge netfilter: log: netns NULL ptr bug when calling from conntrack 2013-05-15 14:11:07 +02:00
caif
can Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
ceph libceph: init sent and completed when starting 2013-05-13 12:52:23 -05:00
core Hoist memcpy_fromiovec/memcpy_toiovec into lib/ 2013-05-20 10:24:22 +09:30
dcb
dccp
decnet
dns_resolver
dsa
ethernet
ieee802154
ipv4 ipv4: fix redirect handling for TCP packets 2013-05-27 23:39:19 -07:00
ipv6 ipv6: fix possible crashes in ip6_cork_release() 2013-05-18 12:55:45 -07:00
ipx
irda net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. 2013-05-19 15:10:47 -07:00
iucv
key
l2tp
lapb
llc
mac80211 mac80211: report deauth to cfg80211 for local state change 2013-05-16 22:38:08 +02:00
mac802154
netfilter netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary 2013-05-16 17:35:53 +02:00
netlabel netlabel: improve domain mapping validation 2013-05-19 14:49:55 -07:00
netlink
netrom
nfc
openvswitch
packet packet: tpacket_v3: do not trigger bug() on wrong header status 2013-05-03 16:10:33 -04:00
phonet
rds
rfkill
rose
rxrpc
sched
sctp
sunrpc Merge branch 'for-3.10' of git://linux-nfs.org/~bfields/linux 2013-05-10 09:28:55 -07:00
tipc tipc: potential divide by zero in tipc_link_recv_fragment() 2013-05-06 16:16:52 -04:00
unix
vmw_vsock
wimax
wireless cfg80211: fix sending WoWLAN TCP wakeup settings 2013-05-16 22:38:09 +02:00
x25
xfrm xfrm: properly handle invalid states as an error 2013-05-23 01:20:07 -07:00
compat.c
Kconfig
Makefile
nonet.c
socket.c net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg 2013-05-28 23:55:41 -07:00
sysctl_net.c