From: lebon zhou
> Sent: 20 July 2020 05:35
> To: da...@davemloft.net; k...@kernel.org
> Cc: linux-ker...@vger.kernel.org; netdev@vger.kernel.org
> Subject: [PATCH] Fix memory overwriting issue when copy an address to user
> space
>
> When application provided buffer size less than sockaddr_storage, then
> kernel will overwrite some memory area which may cause memory corruption,
> e.g.: in recvmsg case, let msg_name=malloc(8) and msg_namelen=8, then
> usually application can call recvmsg successful but actually application
> memory get corrupted.
Where?
The copy_to_user() uses the short length provided by the user.
There is even a comment saying that if the address is truncated
the length returned to the user is the full length.
Maybe the application is reusing the msg without re-initialising
it properly.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT,
UK
Registration No: 1397386 (Wales)
