1. 28 4月, 2008 1 次提交
  2. 29 1月, 2008 2 次提交
  3. 21 12月, 2007 1 次提交
    • W
      [NET]: Fix function put_cmsg() which may cause usr application memory overflow · 1ac70e7a
      Wei Yongjun 提交于
      When used function put_cmsg() to copy kernel information to user 
      application memory, if the memory length given by user application is 
      not enough, by the bad length calculate of msg.msg_controllen, 
      put_cmsg() function may cause the msg.msg_controllen to be a large 
      value, such as 0xFFFFFFF0, so the following put_cmsg() can also write 
      data to usr application memory even usr has no valid memory to store 
      this. This may cause usr application memory overflow.
      
      int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
      {
          struct cmsghdr __user *cm
              = (__force struct cmsghdr __user *)msg->msg_control;
          struct cmsghdr cmhdr;
          int cmlen = CMSG_LEN(len);
          ~~~~~~~~~~~~~~~~~~~~~
          int err;
      
          if (MSG_CMSG_COMPAT & msg->msg_flags)
              return put_cmsg_compat(msg, level, type, len, data);
      
          if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
              msg->msg_flags |= MSG_CTRUNC;
              return 0; /* XXX: return error? check spec. */
          }
          if (msg->msg_controllen < cmlen) {
          ~~~~~~~~~~~~~~~~~~~~~~~~
              msg->msg_flags |= MSG_CTRUNC;
              cmlen = msg->msg_controllen;
          }
          cmhdr.cmsg_level = level;
          cmhdr.cmsg_type = type;
          cmhdr.cmsg_len = cmlen;
      
          err = -EFAULT;
          if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
              goto out;
          if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
              goto out;
          cmlen = CMSG_SPACE(len);
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~
          If MSG_CTRUNC flags is set, msg->msg_controllen is less than 
      CMSG_SPACE(len), "msg->msg_controllen -= cmlen" will cause unsinged int 
      type msg->msg_controllen to be a large value.
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~
          msg->msg_control += cmlen;
          msg->msg_controllen -= cmlen;
          ~~~~~~~~~~~~~~~~~~~~~
          err = 0;
      out:
          return err;
      }
      
      The same promble exists in put_cmsg_compat(). This patch can fix this 
      problem.
      Signed-off-by: NWei Yongjun <yjwei@cn.fujitsu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1ac70e7a
  4. 17 7月, 2007 1 次提交
    • U
      O_CLOEXEC for SCM_RIGHTS · 4a19542e
      Ulrich Drepper 提交于
      Part two in the O_CLOEXEC saga: adding support for file descriptors received
      through Unix domain sockets.
      
      The patch is once again pretty minimal, it introduces a new flag for recvmsg
      and passes it just like the existing MSG_CMSG_COMPAT flag.  I think this bit
      is not used otherwise but the networking people will know better.
      
      This new flag is not recognized by recvfrom and recv.  These functions cannot
      be used for that purpose and the asymmetry this introduces is not worse than
      the already existing MSG_CMSG_COMPAT situations.
      
      The patch must be applied on the patch which introduced O_CLOEXEC.  It has to
      remove static from the new get_unused_fd_flags function but since scm.c cannot
      live in a module the function still hasn't to be exported.
      
      Here's a test program to make sure the code works.  It's so much longer than
      the actual patch...
      
      #include <errno.h>
      #include <error.h>
      #include <fcntl.h>
      #include <stdio.h>
      #include <string.h>
      #include <unistd.h>
      #include <sys/socket.h>
      #include <sys/un.h>
      
      #ifndef O_CLOEXEC
      # define O_CLOEXEC 02000000
      #endif
      #ifndef MSG_CMSG_CLOEXEC
      # define MSG_CMSG_CLOEXEC 0x40000000
      #endif
      
      int
      main (int argc, char *argv[])
      {
        if (argc > 1)
          {
            int fd = atol (argv[1]);
            printf ("child: fd = %d\n", fd);
            if (fcntl (fd, F_GETFD) == 0 || errno != EBADF)
              {
                puts ("file descriptor valid in child");
                return 1;
              }
            return 0;
      
          }
      
        struct sockaddr_un sun;
        strcpy (sun.sun_path, "./testsocket");
        sun.sun_family = AF_UNIX;
      
        char databuf[] = "hello";
        struct iovec iov[1];
        iov[0].iov_base = databuf;
        iov[0].iov_len = sizeof (databuf);
      
        union
        {
          struct cmsghdr hdr;
          char bytes[CMSG_SPACE (sizeof (int))];
        } buf;
        struct msghdr msg = { .msg_iov = iov, .msg_iovlen = 1,
                              .msg_control = buf.bytes,
                              .msg_controllen = sizeof (buf) };
        struct cmsghdr *cmsg = CMSG_FIRSTHDR (&msg);
      
        cmsg->cmsg_level = SOL_SOCKET;
        cmsg->cmsg_type = SCM_RIGHTS;
        cmsg->cmsg_len = CMSG_LEN (sizeof (int));
      
        msg.msg_controllen = cmsg->cmsg_len;
      
        pid_t child = fork ();
        if (child == -1)
          error (1, errno, "fork");
        if (child == 0)
          {
            int sock = socket (PF_UNIX, SOCK_STREAM, 0);
            if (sock < 0)
              error (1, errno, "socket");
      
            if (bind (sock, (struct sockaddr *) &sun, sizeof (sun)) < 0)
              error (1, errno, "bind");
            if (listen (sock, SOMAXCONN) < 0)
              error (1, errno, "listen");
      
            int conn = accept (sock, NULL, NULL);
            if (conn == -1)
              error (1, errno, "accept");
      
            *(int *) CMSG_DATA (cmsg) = sock;
            if (sendmsg (conn, &msg, MSG_NOSIGNAL) < 0)
              error (1, errno, "sendmsg");
      
            return 0;
          }
      
        /* For a test suite this should be more robust like a
           barrier in shared memory.  */
        sleep (1);
      
        int sock = socket (PF_UNIX, SOCK_STREAM, 0);
        if (sock < 0)
          error (1, errno, "socket");
      
        if (connect (sock, (struct sockaddr *) &sun, sizeof (sun)) < 0)
          error (1, errno, "connect");
        unlink (sun.sun_path);
      
        *(int *) CMSG_DATA (cmsg) = -1;
      
        if (recvmsg (sock, &msg, MSG_CMSG_CLOEXEC) < 0)
          error (1, errno, "recvmsg");
      
        int fd = *(int *) CMSG_DATA (cmsg);
        if (fd == -1)
          error (1, 0, "no descriptor received");
      
        char fdname[20];
        snprintf (fdname, sizeof (fdname), "%d", fd);
        execl ("/proc/self/exe", argv[0], fdname, NULL);
        puts ("execl failed");
        return 1;
      }
      
      [akpm@linux-foundation.org: Fix fastcall inconsistency noted by Michael Buesch]
      [akpm@linux-foundation.org: build fix]
      Signed-off-by: NUlrich Drepper <drepper@redhat.com>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Michael Buesch <mb@bu3sch.de>
      Cc: Michael Kerrisk <mtk-manpages@gmx.net>
      Acked-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      4a19542e
  5. 26 4月, 2007 4 次提交
    • E
      [NET]: Adding SO_TIMESTAMPNS / SCM_TIMESTAMPNS support · 92f37fd2
      Eric Dumazet 提交于
      Now that network timestamps use ktime_t infrastructure, we can add a new
      SOL_SOCKET sockopt  SO_TIMESTAMPNS.
      
      This command is similar to SO_TIMESTAMP, but permits transmission of
      a 'timespec struct' instead of a 'timeval struct' control message.
      (nanosecond resolution instead of microsecond)
      
      Control message is labelled SCM_TIMESTAMPNS instead of SCM_TIMESTAMP
      
      A socket cannot mix SO_TIMESTAMP and SO_TIMESTAMPNS : the two modes are
      mutually exclusive.
      
      sock_recv_timestamp() became too big to be fully inlined so I added a
      __sock_recv_timestamp() helper function.
      Signed-off-by: NEric Dumazet <dada1@cosmosbay.com>
      CC: linux-arch@vger.kernel.org
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      92f37fd2
    • S
      [NET] core: whitespace cleanup · e71a4783
      Stephen Hemminger 提交于
      Fix whitespace around keywords. Fix indentation especially of switch
      statements.
      Signed-off-by: NStephen Hemminger <shemminger@linux-foundation.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e71a4783
    • E
      [NET]: Introduce SIOCGSTAMPNS ioctl to get timestamps with nanosec resolution · ae40eb1e
      Eric Dumazet 提交于
      Now network timestamps use ktime_t infrastructure, we can add a new
      ioctl() SIOCGSTAMPNS command to get timestamps in 'struct timespec'.
      User programs can thus access to nanosecond resolution.
      Signed-off-by: NEric Dumazet <dada1@cosmosbay.com>
      CC: Stephen Hemminger <shemminger@linux-foundation.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ae40eb1e
    • E
      [NET]: convert network timestamps to ktime_t · b7aa0bf7
      Eric Dumazet 提交于
      We currently use a special structure (struct skb_timeval) and plain
      'struct timeval' to store packet timestamps in sk_buffs and struct
      sock.
      
      This has some drawbacks :
      - Fixed resolution of micro second.
      - Waste of space on 64bit platforms where sizeof(struct timeval)=16
      
      I suggest using ktime_t that is a nice abstraction of high resolution
      time services, currently capable of nanosecond resolution.
      
      As sizeof(ktime_t) is 8 bytes, using ktime_t in 'struct sock' permits
      a 8 byte shrink of this structure on 64bit architectures. Some other
      structures also benefit from this size reduction (struct ipq in
      ipv4/ip_fragment.c, struct frag_queue in ipv6/reassembly.c, ...)
      
      Once this ktime infrastructure adopted, we can more easily provide
      nanosecond resolution on top of it. (ioctl SIOCGSTAMPNS and/or
      SO_TIMESTAMPNS/SCM_TIMESTAMPNS)
      
      Note : this patch includes a bug correction in
      compat_sock_get_timestamp() where a "err = 0;" was missing (so this
      syscall returned -ENOENT instead of 0)
      Signed-off-by: NEric Dumazet <dada1@cosmosbay.com>
      CC: Stephen Hemminger <shemminger@linux-foundation.org>
      CC: John find <linux.kernel@free.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b7aa0bf7
  6. 15 2月, 2007 1 次提交
    • T
      [PATCH] remove many unneeded #includes of sched.h · cd354f1a
      Tim Schmielau 提交于
      After Al Viro (finally) succeeded in removing the sched.h #include in module.h
      recently, it makes sense again to remove other superfluous sched.h includes.
      There are quite a lot of files which include it but don't actually need
      anything defined in there.  Presumably these includes were once needed for
      macros that used to live in sched.h, but moved to other header files in the
      course of cleaning it up.
      
      To ease the pain, this time I did not fiddle with any header files and only
      removed #includes from .c-files, which tend to cause less trouble.
      
      Compile tested against 2.6.20-rc2 and 2.6.20-rc2-mm2 (with offsets) on alpha,
      arm, i386, ia64, mips, powerpc, and x86_64 with allnoconfig, defconfig,
      allmodconfig, and allyesconfig as well as a few randconfigs on x86_64 and all
      configs in arch/arm/configs on arm.  I also checked that no new warnings were
      introduced by the patch (actually, some warnings are removed that were emitted
      by unnecessarily included header files).
      Signed-off-by: NTim Schmielau <tim@physik3.uni-rostock.de>
      Acked-by: NRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      cd354f1a
  7. 11 2月, 2007 1 次提交
  8. 12 10月, 2006 1 次提交
    • M
      [NET]: File descriptor loss while receiving SCM_RIGHTS · effee6a0
      Miklos Szeredi 提交于
      If more than one file descriptor was sent with an SCM_RIGHTS message,
      and on the receiving end, after installing a nonzero (but not all)
      file descritpors the process runs out of fds, then the already
      installed fds will be lost (userspace will have no way of knowing
      about them).
      
      The following patch makes sure, that at least the already installed
      fds are sent to userspace.  It doesn't solve the issue of losing file
      descriptors in case of an EFAULT on the userspace buffer.
      Signed-off-by: NMiklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      effee6a0
  9. 01 4月, 2006 1 次提交
  10. 22 3月, 2006 1 次提交
  11. 21 3月, 2006 1 次提交
  12. 08 9月, 2005 1 次提交
  13. 10 8月, 2005 1 次提交
    • A
      [NET]: Fix memory leak in sys_{send,recv}msg() w/compat · d64d3873
      Andrew Morton 提交于
      From: Dave Johnson <djohnson+linux-kernel@sw.starentnetworks.com>
      
      sendmsg()/recvmsg() syscalls from o32/n32 apps to a 64bit kernel will
      cause a kernel memory leak if iov_len > UIO_FASTIOV for each syscall!
      
      This is because both sys_sendmsg() and verify_compat_iovec() kmalloc a
      new iovec structure.  Only the one from sys_sendmsg() is free'ed.
      
      I wrote a simple test program to confirm this after identifying the
      problem:
      
      http://davej.org/programs/testsendmsg.c
      
      Note that the below fix will break solaris_sendmsg()/solaris_recvmsg() as
      it also calls verify_compat_iovec() but expects it to malloc internally.
      
      [ I fixed that. -DaveM ]
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d64d3873
  14. 17 4月, 2005 1 次提交
    • L
      Linux-2.6.12-rc2 · 1da177e4
      Linus Torvalds 提交于
      Initial git repository build. I'm not bothering with the full history,
      even though we have it. We can create a separate "historical" git
      archive of that later if we want to, and in the meantime it's about
      3.2GB when imported into git - space that would just make the early
      git days unnecessarily complicated, when we don't have a lot of good
      infrastructure for it.
      
      Let it rip!
      1da177e4