Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753269AbcKHKnn (ORCPT <rfc822;w@1wt.eu>);
        Tue, 8 Nov 2016 05:43:43 -0500
Received: from mail.sigma-star.at ([95.130.255.111]:45996 "EHLO
        mail.sigma-star.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751711AbcKHKnk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Nov 2016 05:43:40 -0500
From: Richard Weinberger <richard@nod.at>
To: drbd-dev@lists.linbit.com
Cc: linux-kernel@vger.kernel.org, lars.ellenberg@linbit.com,
        philipp.reisner@linbit.com, Richard Weinberger <richard@nod.at>,
        stable@vger.kernel.org, viro@zeniv.linux.org.uk,
        christoph.lechleitner@iteg.at, wolfgang.glas@iteg.at
Subject: [PATCH] drbd: Fix kernel_sendmsg() usage
Date: Tue,  8 Nov 2016 11:43:09 +0100
Message-Id: <1478601789-15060-1-git-send-email-richard@nod.at>
X-Mailer: git-send-email 2.7.3
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1618
Lines: 41

Don't pass a size larger than iov_len to kernel_sendmsg().
Otherwise it will cause a NULL pointer deref when kernel_sendmsg()
returns with rv < size.

Although the issue exists since day 0, only on non-ancient kernels
that contain change 57be5bdad759 ("ip: convert tcp_sendmsg() to iov_iter
primitives") it seems to trigger [0][1][2][3][4].

[0] http://lists.linbit.com/pipermail/drbd-user/2016-July/023112.html
[1] http://lists.linbit.com/pipermail/drbd-dev/2016-March/003362.html
[2] https://forums.grsecurity.net/viewtopic.php?f=3&t=4546
[3] https://ubuntuforums.org/showthread.php?t=2336150
[4] http://e2.howsolveproblem.com/i/1175162/

Fixes: b411b3637fa71fc ("The DRBD driver")
Cc: stable@vger.kernel.org
Cc: viro@zeniv.linux.org.uk
Cc: christoph.lechleitner@iteg.at
Cc: wolfgang.glas@iteg.at
Reported-by: Christoph Lechleitner <christoph.lechleitner@iteg.at>
Tested-by: Christoph Lechleitner <christoph.lechleitner@iteg.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
---
 drivers/block/drbd/drbd_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
index 100be556e613..cbec781c2b57 100644
--- a/drivers/block/drbd/drbd_main.c
+++ b/drivers/block/drbd/drbd_main.c
@@ -1871,7 +1871,7 @@ int drbd_send(struct drbd_connection *connection, struct socket *sock,
 		drbd_update_congested(connection);
 	}
 	do {
-		rv = kernel_sendmsg(sock, &msg, &iov, 1, size);
+		rv = kernel_sendmsg(sock, &msg, &iov, 1, size - sent);
 		if (rv == -EAGAIN) {
 			if (we_should_drop_the_connection(connection, sock))
 				break;
-- 
2.7.3