git.baikalelectronics.ru Git - kernel.git/commit

author	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
	Thu, 25 Aug 2011 02:45:03 +0000 (19:45 -0700)
committer	David S. Miller <davem@davemloft.net>
	Thu, 25 Aug 2011 02:45:03 +0000 (19:45 -0700)
commit	4d71257578a0b04b9bfae35c0c83296d997bc3cc
tree	45fb13261b012c61a64713ee13f5c7fe60a046dd	tree \| snapshot
parent	fd14dbe430829af5c610e99ce5c62fd186f48a9c	commit \| diff

sendmmsg/sendmsg: fix unsafe user pointer access

Dereferencing a user pointer directly from kernel-space without going
through the copy_from_user family of functions is a bad idea. Two of
such usages can be found in the sendmsg code path called from sendmmsg,
added by

commit 9deaf9798374c13aa8664a8f6ac4ebcae180ed94 upstream.
commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree.

Usages are performed through memcmp() and memcpy() directly. Fix those
by using the already copied msg_sys structure instead of the __user *msg
structure. Note that msg_sys can be set to NULL by verify_compat_iovec()
or verify_iovec(), which requires additional NULL pointer checks.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
CC: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
CC: Anton Blanchard <anton@samba.org>
CC: David S. Miller <davem@davemloft.net>
CC: stable <stable@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>