Commit 47379052 authored by Arjan van de Ven's avatar Arjan van de Ven Committed by David S. Miller

net: Add explicit bound checks in net/socket.c

The sys_socketcall() function has a very clever system for the copy
size of its arguments. Unfortunately, gcc cannot deal with this in
terms of proving that the copy_from_user() is then always in bounds.
This is the last (well 9th of this series, but last in the kernel) such
case around.

With this patch, we can turn on code to make having the boundary provably
right for the whole kernel, and detect introduction of new security
accidents of this type early on.
Signed-off-by: default avatarArjan van de Ven <arjan@linux.intel.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 30df94f8
...@@ -2098,12 +2098,17 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) ...@@ -2098,12 +2098,17 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
unsigned long a[6]; unsigned long a[6];
unsigned long a0, a1; unsigned long a0, a1;
int err; int err;
unsigned int len;
if (call < 1 || call > SYS_ACCEPT4) if (call < 1 || call > SYS_ACCEPT4)
return -EINVAL; return -EINVAL;
len = nargs[call];
if (len > sizeof(a))
return -EINVAL;
/* copy_from_user should be SMP safe. */ /* copy_from_user should be SMP safe. */
if (copy_from_user(a, args, nargs[call])) if (copy_from_user(a, args, len))
return -EFAULT; return -EFAULT;
audit_socketcall(nargs[call] / sizeof(unsigned long), a); audit_socketcall(nargs[call] / sizeof(unsigned long), a);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment