From: Herbert Xu <herb...@gondor.apana.org.au> Date: Thu, 6 Nov 2014 14:46:29 +0800
> On Thu, Nov 06, 2014 at 06:43:18AM +0000, Al Viro wrote: >> On Thu, Nov 06, 2014 at 01:50:23PM +0800, Herbert Xu wrote: >> > + /* We only need the first two bytes. */ >> > + err = memcpy_fromiovecend((void *)&icmph, msg->msg_iov, 0, 2); >> > + if (err) >> > + return err; >> > + >> > + fl4->fl4_icmp_type = icmph.type; >> > + fl4->fl4_icmp_code = icmph.code; >> >> That's more readable, but that exposes another problem in there - we read >> the same piece of userland data twice, with no promise whatsoever that we'll >> get the same value both times... > > Sure, but you have to be root anyway to write to raw sockets. > > Patches are welcome :) I'd agree with this root-only argument maybe 15 years ago, but with containers and stuff like that we want to prevent root X from messing up the machine for root Y. This is a recurring topic, and I'd strongly like to avoid adding new ways that these kinds of problems can happen. For example, I'm still on the hook to address the AF_NETLINK mmap TX code, which has a similarly abusable issue. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
