From owner-svn-src-releng@freebsd.org  Thu Nov 22 13:12:18 2018
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43D861148627;
 Thu, 22 Nov 2018 13:12:18 +0000 (UTC)
 (envelope-from tijl@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id DB3AE76160;
 Thu, 22 Nov 2018 13:12:17 +0000 (UTC)
 (envelope-from tijl@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BD5C1105A3;
 Thu, 22 Nov 2018 13:12:17 +0000 (UTC)
 (envelope-from tijl@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wAMDCHkP073847;
 Thu, 22 Nov 2018 13:12:17 GMT (envelope-from tijl@FreeBSD.org)
Received: (from tijl@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id wAMDCH0U073846;
 Thu, 22 Nov 2018 13:12:17 GMT (envelope-from tijl@FreeBSD.org)
Message-Id: <201811221312.wAMDCH0U073846@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: tijl set sender to
 tijl@FreeBSD.org using -f
From: Tijl Coosemans <tijl@FreeBSD.org>
Date: Thu, 22 Nov 2018 13:12:17 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r340762 - releng/12.0/sys/compat/linux
X-SVN-Group: releng
X-SVN-Commit-Author: tijl
X-SVN-Commit-Paths: releng/12.0/sys/compat/linux
X-SVN-Commit-Revision: 340762
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: DB3AE76160
X-Spamd-Result: default: False [1.17 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_SPAM_LONG(0.42)[0.420,0];
 NEURAL_SPAM_MEDIUM(0.51)[0.514,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US];
 NEURAL_SPAM_SHORT(0.24)[0.241,0]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Nov 2018 13:12:18 -0000

Author: tijl
Date: Thu Nov 22 13:12:17 2018
New Revision: 340762
URL: https://svnweb.freebsd.org/changeset/base/340762

Log:
  MFS r340757:
  
  Fix another user address dereference in linux_sendmsg syscall.
  
  This was hidden behind the LINUX_CMSG_NXTHDR macro which dereferences its
  second argument.  Stop using the macro as well as LINUX_CMSG_FIRSTHDR.  Use
  the size field of the kernel copy of the control message header to obtain
  the next control message.
  
  PR:		217901
  Approved by:	re (marius)

Modified:
  releng/12.0/sys/compat/linux/linux_socket.c
Directory Properties:
  releng/12.0/   (props changed)

Modified: releng/12.0/sys/compat/linux/linux_socket.c
==============================================================================
--- releng/12.0/sys/compat/linux/linux_socket.c	Thu Nov 22 13:09:42 2018	(r340761)
+++ releng/12.0/sys/compat/linux/linux_socket.c	Thu Nov 22 13:12:17 2018	(r340762)
@@ -1096,6 +1096,7 @@ linux_sendmsg_common(struct thread *td, l_int s, struc
 	sa_family_t sa_family;
 	void *data;
 	l_size_t len;
+	l_size_t clen;
 	int error;
 
 	error = copyin(msghdr, &linux_msg, sizeof(linux_msg));
@@ -1127,7 +1128,7 @@ linux_sendmsg_common(struct thread *td, l_int s, struc
 
 	control = NULL;
 
-	if ((ptr_cmsg = LINUX_CMSG_FIRSTHDR(&linux_msg)) != NULL) {
+	if (linux_msg.msg_controllen >= sizeof(struct l_cmsghdr)) {
 		error = kern_getsockname(td, s, &sa, &datalen);
 		if (error != 0)
 			goto bad;
@@ -1140,6 +1141,8 @@ linux_sendmsg_common(struct thread *td, l_int s, struc
 		data = mtod(control, void *);
 		datalen = 0;
 
+		ptr_cmsg = PTRIN(linux_msg.msg_control);
+		clen = linux_msg.msg_controllen;
 		do {
 			error = copyin(ptr_cmsg, &linux_cmsg,
 			    sizeof(struct l_cmsghdr));
@@ -1147,7 +1150,8 @@ linux_sendmsg_common(struct thread *td, l_int s, struc
 				goto bad;
 
 			error = EINVAL;
-			if (linux_cmsg.cmsg_len < sizeof(struct l_cmsghdr))
+			if (linux_cmsg.cmsg_len < sizeof(struct l_cmsghdr) ||
+			    linux_cmsg.cmsg_len > clen)
 				goto bad;
 
 			if (datalen + CMSG_HDRSZ > MCLBYTES)
@@ -1199,7 +1203,14 @@ linux_sendmsg_common(struct thread *td, l_int s, struc
 			cmsg->cmsg_len = CMSG_LEN(len);
 			data = (char *)data + CMSG_SPACE(len);
 			datalen += CMSG_SPACE(len);
-		} while ((ptr_cmsg = LINUX_CMSG_NXTHDR(&linux_msg, ptr_cmsg)));
+
+			if (clen <= LINUX_CMSG_ALIGN(linux_cmsg.cmsg_len))
+				break;
+
+			clen -= LINUX_CMSG_ALIGN(linux_cmsg.cmsg_len);
+			ptr_cmsg = (struct l_cmsghdr *)((char *)ptr_cmsg +
+			    LINUX_CMSG_ALIGN(linux_cmsg.cmsg_len));
+		} while(clen >= sizeof(struct l_cmsghdr));
 
 		control->m_len = datalen;
 		if (datalen == 0) {