From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mohamed Ghannam <simo.ghannam@gmail.com>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.18 27/32] net: ipv4: fix for a race condition in raw_sendmsg
Date: Mon, 1 Jan 2018 15:22:34 +0100 [thread overview]
Message-ID: <20180101140018.584848542@linuxfoundation.org> (raw)
In-Reply-To: <20180101140012.582300879@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mohamed Ghannam <simo.ghannam@gmail.com>
[ Upstream commit 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 ]
inet->hdrincl is racy, and could lead to uninitialized stack pointer
usage, so its value should be read only once.
Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/raw.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -483,11 +483,16 @@ static int raw_sendmsg(struct kiocb *ioc
u8 tos;
int err;
struct ip_options_data opt_copy;
+ int hdrincl;
err = -EMSGSIZE;
if (len > 0xFFFF)
goto out;
+ /* hdrincl should be READ_ONCE(inet->hdrincl)
+ * but READ_ONCE() doesn't work with bit fields
+ */
+ hdrincl = inet->hdrincl;
/*
* Check the flags.
*/
@@ -560,7 +565,7 @@ static int raw_sendmsg(struct kiocb *ioc
/* Linux does not mangle headers on raw sockets,
* so that IP options + IP_HDRINCL is non-sense.
*/
- if (inet->hdrincl)
+ if (hdrincl)
goto done;
if (ipc.opt->opt.srr) {
if (!daddr)
@@ -582,12 +587,12 @@ static int raw_sendmsg(struct kiocb *ioc
flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
RT_SCOPE_UNIVERSE,
- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
+ hdrincl ? IPPROTO_RAW : sk->sk_protocol,
inet_sk_flowi_flags(sk) |
- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
daddr, saddr, 0, 0);
- if (!inet->hdrincl) {
+ if (!hdrincl) {
err = raw_probe_proto_opt(&fl4, msg);
if (err)
goto done;
@@ -609,7 +614,7 @@ static int raw_sendmsg(struct kiocb *ioc
goto do_confirm;
back_from_confirm:
- if (inet->hdrincl)
+ if (hdrincl)
err = raw_send_hdrinc(sk, &fl4, msg->msg_iov, len,
&rt, msg->msg_flags);
next prev parent reply other threads:[~2018-01-01 14:24 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-01 14:22 [PATCH 3.18 00/32] 3.18.91-stable review Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 01/32] ACPI: APEI / ERST: Fix missing error handling in erst_reader() Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 02/32] crypto: mcryptd - protect the per-CPU queue with a lock Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 03/32] mfd: twl4030-audio: Fix sibling-node lookup Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 04/32] mfd: twl6040: Fix child-node lookup Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 05/32] ALSA: rawmidi: Avoid racy info ioctl via ctl device Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 06/32] ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 07/32] PCI / PM: Force devices to D0 in pci_pm_thaw_noirq() Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 08/32] parisc: Hide Diva-built-in serial aux and graphics card Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 09/32] KVM: X86: Fix load RFLAGS w/o the fixed bit Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 10/32] powerpc/perf: Dereference BHRB entries safely Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 11/32] net: mvneta: clear interface link status on port disable Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 12/32] tracing: Remove extra zeroing out of the ring buffer page Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 13/32] tracing: Fix possible double free on failure of allocating trace buffer Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 14/32] tracing: Fix crash when it fails to alloc ring buffer Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 15/32] ring-buffer: Mask out the info bits when returning buffer page length Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 16/32] ASoC: twl4030: fix child-node lookup Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 17/32] kbuild: add -fno-stack-check to kernel build options Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 18/32] ipv4: igmp: guard against silly MTU values Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 19/32] ipv6: mcast: better catch silly mtu values Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 20/32] net: igmp: Use correct source address on IGMPv3 reports Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 21/32] netlink: Add netns check on taps Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 22/32] net: qmi_wwan: add Sierra EM7565 1199:9091 Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 23/32] tcp md5sig: Use skbs saddr when replying to an incoming segment Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 24/32] tg3: Fix rx hang on MTU change with 5717/5719 Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 25/32] net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 26/32] sctp: Replace use of sockets_allocated with specified macro Greg Kroah-Hartman
2018-01-01 14:22 ` Greg Kroah-Hartman [this message]
2018-01-01 14:22 ` [PATCH 3.18 28/32] USB: serial: option: add support for Telit ME910 PID 0x1101 Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 29/32] usb: Add device quirk for Logitech HD Pro Webcam C925e Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 30/32] usb: add RESET_RESUME for ELSA MicroLink 56K Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 31/32] usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201 Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 32/32] n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) Greg Kroah-Hartman
2018-01-01 18:07 ` [PATCH 3.18 00/32] 3.18.91-stable review kernelci.org bot
2018-01-02 16:46 ` Guenter Roeck
2018-01-02 22:22 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180101140018.584848542@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=simo.ghannam@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).