On Thu, Nov 06, 2014 at 04:28:08PM -0500, David Miller wrote: > From: Herbert Xu <herb...@gondor.apana.org.au> > Date: Thu, 6 Nov 2014 14:46:29 +0800 > > > On Thu, Nov 06, 2014 at 06:43:18AM +0000, Al Viro wrote: > >> On Thu, Nov 06, 2014 at 01:50:23PM +0800, Herbert Xu wrote: > >> > + /* We only need the first two bytes. */ > >> > + err = memcpy_fromiovecend((void *)&icmph, msg->msg_iov, 0, 2); > >> > + if (err) > >> > + return err; > >> > + > >> > + fl4->fl4_icmp_type = icmph.type; > >> > + fl4->fl4_icmp_code = icmph.code; > >> > >> That's more readable, but that exposes another problem in there - we read > >> the same piece of userland data twice, with no promise whatsoever that > >> we'll > >> get the same value both times... > > > > Sure, but you have to be root anyway to write to raw sockets. > > > > Patches are welcome :) > > I'd agree with this root-only argument maybe 15 years ago, but with > containers and stuff like that we want to prevent root X from messing > up the machine for root Y. > > This is a recurring topic, and I'd strongly like to avoid adding new > ways that these kinds of problems can happen. > > For example, I'm still on the hook to address the AF_NETLINK mmap TX > code, which has a similarly abusable issue.
Fair enough. Even though the bug existed prior to my patch I'll see if we could get rid of it. Cheers, -- Email: Herbert Xu <herb...@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/