• Andy Lutomirski's avatar
    net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg · 8beeb76a
    Andy Lutomirski authored
    [ Upstream commits 1be374a0 and
      a7526eb5 ]
    
    MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
    it's a hack that steals a bit to indicate to other networking code
    that a compat entry was used.  So don't allow it from a non-compat
    syscall.
    
    This prevents an oops when running this code:
    
    int main()
    {
    	int s;
    	struct sockaddr_in addr;
    	struct msghdr *hdr;
    
    	char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
    	                      PROT_READ | PROT_WRITE,
    	                      MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
    	if (highpage == MAP_FAILED)
    		err(1, "mmap");
    
    	s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
    	if (s == -1)
    		err(1, "socket");
    
            addr.sin_family = AF_INET;
            addr.sin_port = htons(1);
            addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
    	if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
    		err(1, "connect");
    
    	void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
    	printf("Evil address is %p\n", evil);
    
    	if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
    		err(1, "sendmmsg");
    
    	return 0;
    }
    
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    8beeb76a
socket.c 82.2 KB