Bugzilla: 1035887

Upstream-status: 3.13

From bceaa90240b6019ed73b49965eac7d167610be69 Mon Sep 17 00:00:00 2001

From: Hannes Frederic Sowa <hannes@stressinduktion.org>

Date: Mon, 18 Nov 2013 04:20:45 +0100

Subject: [PATCH] inet: prevent leakage of uninitialized memory to user in recv

 syscalls

Only update *addr_len when we actually fill in sockaddr, otherwise we

can return uninitialized memory from the stack to the caller in the

recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)

checks because we only get called with a valid addr_len pointer either

from sock_common_recvmsg or inet_recvmsg.

If a blocking read waits on a socket which is concurrently shut down we

now return zero and set msg_msgnamelen to 0.

Reported-by: mpb <mpb.mail@gmail.com>

Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>

Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>

Signed-off-by: David S. Miller <davem@davemloft.net>

---

 net/ieee802154/dgram.c |  3 +--

 net/ipv4/ping.c        | 19 +++++++------------

 net/ipv4/raw.c         |  4 +---

 net/ipv4/udp.c         |  7 +------

 net/ipv6/raw.c         |  4 +---

 net/ipv6/udp.c         |  5 +----

 net/l2tp/l2tp_ip.c     |  4 +---

 net/phonet/datagram.c  |  9 ++++-----

 8 files changed, 17 insertions(+), 38 deletions(-)

diff --git a/net/ieee802154/dgram.c b/net/ieee802154/dgram.c

index 581a595..1865fdf 100644

--- a/net/ieee802154/dgram.c

+++ b/net/ieee802154/dgram.c

@@ -315,9 +315,8 @@ static int dgram_recvmsg(struct kiocb *iocb, struct sock *sk,

 	if (saddr) {

 		saddr->family = AF_IEEE802154;

 		saddr->addr = mac_cb(skb)->sa;

-	}

-	if (addr_len)

 		*addr_len = sizeof(*saddr);

+	}

 	if (flags & MSG_TRUNC)

 		copied = skb->len;

diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c

index 9afbdb1..aacefa0 100644

--- a/net/ipv4/ping.c

+++ b/net/ipv4/ping.c

@@ -830,8 +830,6 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,

 {

 	struct inet_sock *isk = inet_sk(sk);

 	int family = sk->sk_family;

-	struct sockaddr_in *sin;

-	struct sockaddr_in6 *sin6;

 	struct sk_buff *skb;

 	int copied, err;

@@ -841,13 +839,6 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,

 	if (flags & MSG_OOB)

 		goto out;

-	if (addr_len) {

-		if (family == AF_INET)

-			*addr_len = sizeof(*sin);

-		else if (family == AF_INET6 && addr_len)

-			*addr_len = sizeof(*sin6);

-	}

-

 	if (flags & MSG_ERRQUEUE) {

 		if (family == AF_INET) {

 			return ip_recv_error(sk, msg, len);

@@ -877,11 +868,13 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,

 	/* Copy the address and add cmsg data. */

 	if (family == AF_INET) {

-		sin = (struct sockaddr_in *) msg->msg_name;

+		struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name;

+

 		sin->sin_family = AF_INET;

 		sin->sin_port = 0 /* skb->h.uh->source */;

 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;

 		memset(sin->sin_zero, 0, sizeof(sin->sin_zero));

+		*addr_len = sizeof(*sin);

 		if (isk->cmsg_flags)

 			ip_cmsg_recv(msg, skb);

@@ -890,17 +883,19 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,

 	} else if (family == AF_INET6) {

 		struct ipv6_pinfo *np = inet6_sk(sk);

 		struct ipv6hdr *ip6 = ipv6_hdr(skb);

-		sin6 = (struct sockaddr_in6 *) msg->msg_name;

+		struct sockaddr_in6 *sin6 =

+			(struct sockaddr_in6 *)msg->msg_name;

+

 		sin6->sin6_family = AF_INET6;

 		sin6->sin6_port = 0;

 		sin6->sin6_addr = ip6->saddr;

-

 		sin6->sin6_flowinfo = 0;

 		if (np->sndflow)

 			sin6->sin6_flowinfo = ip6_flowinfo(ip6);

 		sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr,

 							  IP6CB(skb)->iif);

+		*addr_len = sizeof(*sin6);

 		if (inet6_sk(sk)->rxopt.all)

 			pingv6_ops.ip6_datagram_recv_ctl(sk, msg, skb);

diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c

index 41e1d28..5cb8ddb 100644

--- a/net/ipv4/raw.c

+++ b/net/ipv4/raw.c

@@ -696,9 +696,6 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,

 	if (flags & MSG_OOB)

 		goto out;

-	if (addr_len)

-		*addr_len = sizeof(*sin);

-

 	if (flags & MSG_ERRQUEUE) {

 		err = ip_recv_error(sk, msg, len);

 		goto out;

@@ -726,6 +723,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,

 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;

 		sin->sin_port = 0;

 		memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));

+		*addr_len = sizeof(*sin);

 	}

 	if (inet->cmsg_flags)

 		ip_cmsg_recv(msg, skb);

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c

index 89909dd..998431c 100644

--- a/net/ipv4/udp.c

+++ b/net/ipv4/udp.c

@@ -1235,12 +1235,6 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,

 	int is_udplite = IS_UDPLITE(sk);

 	bool slow;

-	/*

-	 *	Check any passed addresses

-	 */

-	if (addr_len)

-		*addr_len = sizeof(*sin);

-

 	if (flags & MSG_ERRQUEUE)

 		return ip_recv_error(sk, msg, len);

@@ -1302,6 +1296,7 @@ try_again:

 		sin->sin_port = udp_hdr(skb)->source;

 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;

 		memset(sin->sin_zero, 0, sizeof(sin->sin_zero));

+		*addr_len = sizeof(*sin);

 	}

 	if (inet->cmsg_flags)

 		ip_cmsg_recv(msg, skb);

diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c

index 3c00842..e24ff1d 100644

--- a/net/ipv6/raw.c

+++ b/net/ipv6/raw.c

@@ -465,9 +465,6 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,

 	if (flags & MSG_OOB)

 		return -EOPNOTSUPP;

-	if (addr_len)

-		*addr_len=sizeof(*sin6);

-

 	if (flags & MSG_ERRQUEUE)

 		return ipv6_recv_error(sk, msg, len);

@@ -506,6 +503,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,

 		sin6->sin6_flowinfo = 0;

 		sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr,

 							  IP6CB(skb)->iif);

+		*addr_len = sizeof(*sin6);

 	}

 	sock_recv_ts_and_drops(msg, sk, skb);

diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c

index f3893e8..81eb8cf 100644

--- a/net/ipv6/udp.c

+++ b/net/ipv6/udp.c

@@ -392,9 +392,6 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk,

 	int is_udp4;

 	bool slow;

-	if (addr_len)

-		*addr_len = sizeof(struct sockaddr_in6);

-

 	if (flags & MSG_ERRQUEUE)

 		return ipv6_recv_error(sk, msg, len);

@@ -480,7 +477,7 @@ try_again:

 				ipv6_iface_scope_id(&sin6->sin6_addr,

 						    IP6CB(skb)->iif);

 		}

-

+		*addr_len = sizeof(*sin6);

 	}

 	if (is_udp4) {

 		if (inet->cmsg_flags)

diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c

index 571db8d..da1a1ce 100644

--- a/net/l2tp/l2tp_ip.c

+++ b/net/l2tp/l2tp_ip.c

@@ -518,9 +518,6 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m

 	if (flags & MSG_OOB)

 		goto out;

-	if (addr_len)

-		*addr_len = sizeof(*sin);

-

 	skb = skb_recv_datagram(sk, flags, noblock, &err;;

 	if (!skb)

 		goto out;

@@ -543,6 +540,7 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m

 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;

 		sin->sin_port = 0;

 		memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));

+		*addr_len = sizeof(*sin);

 	}

 	if (inet->cmsg_flags)

 		ip_cmsg_recv(msg, skb);

diff --git a/net/phonet/datagram.c b/net/phonet/datagram.c

index 12c30f3..38946b2 100644

--- a/net/phonet/datagram.c

+++ b/net/phonet/datagram.c

@@ -139,9 +139,6 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk,

 			MSG_CMSG_COMPAT))

 		goto out_nofree;

-	if (addr_len)

-		*addr_len = sizeof(sa);

-

 	skb = skb_recv_datagram(sk, flags, noblock, &rval);

 	if (skb == NULL)

 		goto out_nofree;

@@ -162,8 +159,10 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk,

 	rval = (flags & MSG_TRUNC) ? skb->len : copylen;

-	if (msg->msg_name != NULL)

-		memcpy(msg->msg_name, &sa, sizeof(struct sockaddr_pn));

+	if (msg->msg_name != NULL) {

+		memcpy(msg->msg_name, &sa, sizeof(sa));

+		*addr_len = sizeof(sa);

+	}

 out:

 	skb_free_datagram(sk, skb);

-- 

1.8.3.1