From: Rich Felker <dalias@libc.org>
To: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Cc: linux-man <linux-man@vger.kernel.org>, Arnd Bergmann <arnd@arndb.de>
Subject: Access to CMSG_DATA
Date: Tue, 17 Dec 2019 09:36:09 -0500 [thread overview]
Message-ID: <20191217143609.GA23014@brightrain.aerifal.cx> (raw)
It came to my attention while reviewing possible breakage with move to
64-bit time_t that some applications are dereferencing data in socket
control messages (particularly SCM_TIMESTAMP*) in-place as the message
type, rather than memcpy'ing it to appropriate storage. This
necessarily does not work and is not supportable if the message
contains data with greater alignment requirement than the header. In
particular, on 32-bit archs, cmsghdr has size 12 and alignment 4, but
struct timeval and timespec may have alignment requirement 8.
I found at least ptpd, socat, and ssmping doing this via Debian Code
Search:
https://sources.debian.org/src/ptpd/2.3.1-debian1-4/src/dep/net.c/?hl=1578#L1578
https://sources.debian.org/src/socat/1.7.3.3-2/xio-socket.c/?hl=1839#L1839
https://sources.debian.org/src/ssmping/0.9.1-3/ssmpngcl.c/?hl=307#L307
and I suspect there are a good deal more out there. On most archs they
won't break, or will visibly break with SIGBUS, but in theory it's
possible that they silently read wrong data and this might happen on
some older and more tiny-embedded-oriented archs.
I think it's clear to someone who understands alignment and who's
thought about it that applications just can't do this, but it doesn't
seem to be documented, and an example in cmsg(3) even shows access to
int payload via *(int *)CMSG_DATA(cmsg) (of course int is safe because
its alignment is <= header alignment, but this is not mentioned).
Could we add text, and perhaps change the example, to indicate that in
general memcpy needs to be used to copy the payload to/from a suitable
object?
Rich
next reply other threads:[~2019-12-17 14:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-17 14:36 Rich Felker [this message]
2019-12-17 20:00 ` Access to CMSG_DATA Arnd Bergmann
2019-12-17 20:47 ` Rich Felker
2020-02-05 0:30 ` Michael Kerrisk (man-pages)
2020-02-05 0:40 ` Rich Felker
2020-02-05 8:08 ` [PATCH] cmsg.3: ffix Dmitry V. Levin
2020-02-07 15:17 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191217143609.GA23014@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=arnd@arndb.de \
--cc=linux-man@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).