• P
    net: don't unconditionally copy_from_user a struct ifreq for socket ioctls · d0efb162
    Peter Collingbourne 提交于
    A common implementation of isatty(3) involves calling a ioctl passing
    a dummy struct argument and checking whether the syscall failed --
    bionic and glibc use TCGETS (passing a struct termios), and musl uses
    TIOCGWINSZ (passing a struct winsize). If the FD is a socket, we will
    copy sizeof(struct ifreq) bytes of data from the argument and return
    -EFAULT if that fails. The result is that the isatty implementations
    may return a non-POSIX-compliant value in errno in the case where part
    of the dummy struct argument is inaccessible, as both struct termios
    and struct winsize are smaller than struct ifreq (at least on arm64).
    
    Although there is usually enough stack space following the argument
    on the stack that this did not present a practical problem up to now,
    with MTE stack instrumentation it's more likely for the copy to fail,
    as the memory following the struct may have a different tag.
    
    Fix the problem by adding an early check for whether the ioctl is a
    valid socket ioctl, and return -ENOTTY if it isn't.
    
    Fixes: 44c02a2c ("dev_ioctl(): move copyin/copyout to callers")
    Link: https://linux-review.googlesource.com/id/I869da6cf6daabc3e4b7b82ac979683ba05e27d4dSigned-off-by: NPeter Collingbourne <pcc@google.com>
    Cc: <stable@vger.kernel.org> # 4.19
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    d0efb162
socket.c 92.5 KB
新手
引导
客服 返回
顶部