[kernel] r16505 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Maximilian Attems
maks at alioth.debian.org
Sat Oct 30 08:33:58 UTC 2010
Author: maks
Date: Sat Oct 30 08:33:37 2010
New Revision: 16505
Log:
add davem patch the verify_iovec() INT_MAX limiter change.
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/net-Limit-socket-I-O-iovec-total-length-to-INT_MAX.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/27
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Fri Oct 29 16:59:05 2010 (r16504)
+++ dists/sid/linux-2.6/debian/changelog Sat Oct 30 08:33:37 2010 (r16505)
@@ -45,6 +45,7 @@
- drm: Only decouple the old_fb from the crtc is we call mode_set*
- drm/i915: Unset cursor if out-of-bounds upon mode change (v4)
- drm/i915,agp/intel: Add second set of PCI-IDs for B43
+ * net: Limit socket I/O iovec total length to INT_MAX.
-- Ben Hutchings <ben at decadent.org.uk> Tue, 19 Oct 2010 23:27:23 +0100
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/net-Limit-socket-I-O-iovec-total-length-to-INT_MAX.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/net-Limit-socket-I-O-iovec-total-length-to-INT_MAX.patch Sat Oct 30 08:33:37 2010 (r16505)
@@ -0,0 +1,107 @@
+From 8acfe468b0384e834a303f08ebc4953d72fb690a Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem at davemloft.net>
+Date: Thu, 28 Oct 2010 11:41:55 -0700
+Subject: [PATCH] net: Limit socket I/O iovec total length to INT_MAX.
+
+This helps protect us from overflow issues down in the
+individual protocol sendmsg/recvmsg handlers. Once
+we hit INT_MAX we truncate out the rest of the iovec
+by setting the iov_len members to zero.
+
+This works because:
+
+1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
+ writes are allowed and the application will just continue
+ with another write to send the rest of the data.
+
+2) For datagram oriented sockets, where there must be a
+ one-to-one correspondance between write() calls and
+ packets on the wire, INT_MAX is going to be far larger
+ than the packet size limit the protocol is going to
+ check for and signal with -EMSGSIZE.
+
+Based upon a patch by Linus Torvalds.
+
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ include/linux/socket.h | 2 +-
+ net/compat.c | 10 ++++++----
+ net/core/iovec.c | 20 +++++++++-----------
+ 3 files changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/include/linux/socket.h b/include/linux/socket.h
+index 5146b50..86b652f 100644
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -322,7 +322,7 @@ extern int csum_partial_copy_fromiovecend(unsigned char *kdata,
+ int offset,
+ unsigned int len, __wsum *csump);
+
+-extern long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
++extern int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
+ extern int memcpy_toiovec(struct iovec *v, unsigned char *kdata, int len);
+ extern int memcpy_toiovecend(const struct iovec *v, unsigned char *kdata,
+ int offset, int len);
+diff --git a/net/compat.c b/net/compat.c
+index 63d260e..3649d58 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -41,10 +41,12 @@ static inline int iov_from_user_compat_to_kern(struct iovec *kiov,
+ compat_size_t len;
+
+ if (get_user(len, &uiov32->iov_len) ||
+- get_user(buf, &uiov32->iov_base)) {
+- tot_len = -EFAULT;
+- break;
+- }
++ get_user(buf, &uiov32->iov_base))
++ return -EFAULT;
++
++ if (len > INT_MAX - tot_len)
++ len = INT_MAX - tot_len;
++
+ tot_len += len;
+ kiov->iov_base = compat_ptr(buf);
+ kiov->iov_len = (__kernel_size_t) len;
+diff --git a/net/core/iovec.c b/net/core/iovec.c
+index 72aceb1..c40f27e 100644
+--- a/net/core/iovec.c
++++ b/net/core/iovec.c
+@@ -35,10 +35,9 @@
+ * in any case.
+ */
+
+-long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
++int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
+ {
+- int size, ct;
+- long err;
++ int size, ct, err;
+
+ if (m->msg_namelen) {
+ if (mode == VERIFY_READ) {
+@@ -62,14 +61,13 @@ long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address,
+ err = 0;
+
+ for (ct = 0; ct < m->msg_iovlen; ct++) {
+- err += iov[ct].iov_len;
+- /*
+- * Goal is not to verify user data, but to prevent returning
+- * negative value, which is interpreted as errno.
+- * Overflow is still possible, but it is harmless.
+- */
+- if (err < 0)
+- return -EMSGSIZE;
++ size_t len = iov[ct].iov_len;
++
++ if (len > INT_MAX - err) {
++ len = INT_MAX - err;
++ iov[ct].iov_len = len;
++ }
++ err += len;
+ }
+
+ return err;
+--
+1.7.1
+
Modified: dists/sid/linux-2.6/debian/patches/series/27
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/27 Fri Oct 29 16:59:05 2010 (r16504)
+++ dists/sid/linux-2.6/debian/patches/series/27 Sat Oct 30 08:33:37 2010 (r16505)
@@ -19,3 +19,4 @@
+ bugfix/all/drm-Only-decouple-the-old_fb-from-the-crtc-is-we-cal.patch
+ bugfix/all/drm-i915-Unset-cursor-if-out-of-bounds-upon-mode-cha.patch
+ bugfix/all/drm-i915-agp-intel-Add-second-set-of-PCI-IDs-for-B43.patch
++ bugfix/all/net-Limit-socket-I-O-iovec-total-length-to-INT_MAX.patch
More information about the Kernel-svn-changes
mailing list