On Mon, Jul 20, 2020 at 11:12 PM David Laight <david.lai...@aculab.com> wrote: > > From: lebon zhou > > Sent: 20 July 2020 05:35 > > To: da...@davemloft.net; k...@kernel.org > > Cc: linux-ker...@vger.kernel.org; netdev@vger.kernel.org > > Subject: [PATCH] Fix memory overwriting issue when copy an address to user > > space > > > > When application provided buffer size less than sockaddr_storage, then > > kernel will overwrite some memory area which may cause memory corruption, > > e.g.: in recvmsg case, let msg_name=malloc(8) and msg_namelen=8, then > > usually application can call recvmsg successful but actually application > > memory get corrupted. > > Where? > The copy_to_user() uses the short length provided by the user. > There is even a comment saying that if the address is truncated > the length returned to the user is the full length. > > Maybe the application is reusing the msg without re-initialising > it properly.
It is not related with copy_to_user(), it is about move_addr_to_user() implementation itself, there is comment /*After copying the data up to the limit the user specifies...*/, but the fact is when (ulen < klen), this function will copy more content to user buffer over than user specifies in @ulen, this will cause the user buffer to corrupt, this patch fixes this issue.
