net: prevent rewrite of msg_name in sock_sendmsg()
stable inclusion from stable-v5.10.198 commit 81d03e2518945c4bc7b9a7b3f1935203954bf3ba category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I987V5 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=81d03e2518945c4bc7b9a7b3f1935203954bf3ba -------------------------------- commit 86a7e0b6 upstream. Callers of sock_sendmsg(), and similarly kernel_sendmsg(), in kernel space may observe their value of msg_name change in cases where BPF sendmsg hooks rewrite the send address. This has been confirmed to break NFS mounts running in UDP mode and has the potential to break other systems. This patch: 1) Creates a new function called __sock_sendmsg() with same logic as the old sock_sendmsg() function. 2) Replaces calls to sock_sendmsg() made by __sys_sendto() and __sys_sendmsg() with __sock_sendmsg() to avoid an unnecessary copy, as these system calls are already protected. 3) Modifies sock_sendmsg() so that it makes a copy of msg_name if present before passing it down the stack to insulate callers from changes to the send address. Link: https://lore.kernel.org/netdev/20230912013332.2048422-1-jrife@google.com/ Fixes: 1cedee13 ("bpf: Hooks for sys_sendmsg") Cc: stable@vger.kernel.org Reviewed-by:Willem de Bruijn <willemb@google.com> Signed-off-by:
Loading
Please sign in to comment