[kernel] r16505 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Maximilian Attems maks at alioth.debian.org
Sat Oct 30 08:33:58 UTC 2010 

Author: maks
Date: Sat Oct 30 08:33:37 2010
New Revision: 16505

Log:
add davem patch the verify_iovec() INT_MAX limiter change.

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/net-Limit-socket-I-O-iovec-total-length-to-INT_MAX.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/27

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Fri Oct 29 16:59:05 2010	(r16504)
+++ dists/sid/linux-2.6/debian/changelog	Sat Oct 30 08:33:37 2010	(r16505)
@@ -45,6 +45,7 @@
     - drm: Only decouple the old_fb from the crtc is we call mode_set*
     - drm/i915: Unset cursor if out-of-bounds upon mode change (v4)
     - drm/i915,agp/intel: Add second set of PCI-IDs for B43
+  * net: Limit socket I/O iovec total length to INT_MAX.
 
  -- Ben Hutchings <ben at decadent.org.uk>  Tue, 19 Oct 2010 23:27:23 +0100
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/net-Limit-socket-I-O-iovec-total-length-to-INT_MAX.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/net-Limit-socket-I-O-iovec-total-length-to-INT_MAX.patch	Sat Oct 30 08:33:37 2010	(r16505)
@@ -0,0 +1,107 @@
+From 8acfe468b0384e834a303f08ebc4953d72fb690a Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem at davemloft.net>
+Date: Thu, 28 Oct 2010 11:41:55 -0700
+Subject: [PATCH] net: Limit socket I/O iovec total length to INT_MAX.
+
+This helps protect us from overflow issues down in the
+individual protocol sendmsg/recvmsg handlers.  Once
+we hit INT_MAX we truncate out the rest of the iovec
+by setting the iov_len members to zero.
+
+This works because:
+
+1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
+   writes are allowed and the application will just continue
+   with another write to send the rest of the data.
+
+2) For datagram oriented sockets, where there must be a
+   one-to-one correspondance between write() calls and
+   packets on the wire, INT_MAX is going to be far larger
+   than the packet size limit the protocol is going to
+   check for and signal with -EMSGSIZE.
+
+Based upon a patch by Linus Torvalds.
+
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ include/linux/socket.h |    2 +-
+ net/compat.c           |   10 ++++++----
+ net/core/iovec.c       |   20 +++++++++-----------
+ 3 files changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/include/linux/socket.h b/include/linux/socket.h
+index 5146b50..86b652f 100644
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -322,7 +322,7 @@ extern int csum_partial_copy_fromiovecend(unsigned char *kdata,
+ 					  int offset, 
+ 					  unsigned int len, __wsum *csump);
+ 
+-extern long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
++extern int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
+ extern int memcpy_toiovec(struct iovec *v, unsigned char *kdata, int len);
+ extern int memcpy_toiovecend(const struct iovec *v, unsigned char *kdata,
+ 			     int offset, int len);
+diff --git a/net/compat.c b/net/compat.c
+index 63d260e..3649d58 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -41,10 +41,12 @@ static inline int iov_from_user_compat_to_kern(struct iovec *kiov,
+ 		compat_size_t len;
+ 
+ 		if (get_user(len, &uiov32->iov_len) ||
+-		   get_user(buf, &uiov32->iov_base)) {
+-			tot_len = -EFAULT;
+-			break;
+-		}
++		    get_user(buf, &uiov32->iov_base))
++			return -EFAULT;
++
++		if (len > INT_MAX - tot_len)
++			len = INT_MAX - tot_len;
++
+ 		tot_len += len;
+ 		kiov->iov_base = compat_ptr(buf);
+ 		kiov->iov_len = (__kernel_size_t) len;
+diff --git a/net/core/iovec.c b/net/core/iovec.c
+index 72aceb1..c40f27e 100644
+--- a/net/core/iovec.c
++++ b/net/core/iovec.c
+@@ -35,10 +35,9 @@
+  *	in any case.
+  */
+ 
+-long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
++int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
+ {
+-	int size, ct;
+-	long err;
++	int size, ct, err;
+ 
+ 	if (m->msg_namelen) {
+ 		if (mode == VERIFY_READ) {
+@@ -62,14 +61,13 @@ long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address,
+ 	err = 0;
+ 
+ 	for (ct = 0; ct < m->msg_iovlen; ct++) {
+-		err += iov[ct].iov_len;
+-		/*
+-		 * Goal is not to verify user data, but to prevent returning
+-		 * negative value, which is interpreted as errno.
+-		 * Overflow is still possible, but it is harmless.
+-		 */
+-		if (err < 0)
+-			return -EMSGSIZE;
++		size_t len = iov[ct].iov_len;
++
++		if (len > INT_MAX - err) {
++			len = INT_MAX - err;
++			iov[ct].iov_len = len;
++		}
++		err += len;
+ 	}
+ 
+ 	return err;
+-- 
+1.7.1
+

Modified: dists/sid/linux-2.6/debian/patches/series/27
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/27	Fri Oct 29 16:59:05 2010	(r16504)
+++ dists/sid/linux-2.6/debian/patches/series/27	Sat Oct 30 08:33:37 2010	(r16505)
@@ -19,3 +19,4 @@
 + bugfix/all/drm-Only-decouple-the-old_fb-from-the-crtc-is-we-cal.patch
 + bugfix/all/drm-i915-Unset-cursor-if-out-of-bounds-upon-mode-cha.patch
 + bugfix/all/drm-i915-agp-intel-Add-second-set-of-PCI-IDs-for-B43.patch
++ bugfix/all/net-Limit-socket-I-O-iovec-total-length-to-INT_MAX.patch

More information about the Kernel-svn-changes mailing list