Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753269AbcKHKnn (ORCPT ); Tue, 8 Nov 2016 05:43:43 -0500 Received: from mail.sigma-star.at ([95.130.255.111]:45996 "EHLO mail.sigma-star.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751711AbcKHKnk (ORCPT ); Tue, 8 Nov 2016 05:43:40 -0500 From: Richard Weinberger To: drbd-dev@lists.linbit.com Cc: linux-kernel@vger.kernel.org, lars.ellenberg@linbit.com, philipp.reisner@linbit.com, Richard Weinberger , stable@vger.kernel.org, viro@zeniv.linux.org.uk, christoph.lechleitner@iteg.at, wolfgang.glas@iteg.at Subject: [PATCH] drbd: Fix kernel_sendmsg() usage Date: Tue, 8 Nov 2016 11:43:09 +0100 Message-Id: <1478601789-15060-1-git-send-email-richard@nod.at> X-Mailer: git-send-email 2.7.3 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1618 Lines: 41 Don't pass a size larger than iov_len to kernel_sendmsg(). Otherwise it will cause a NULL pointer deref when kernel_sendmsg() returns with rv < size. Although the issue exists since day 0, only on non-ancient kernels that contain change 57be5bdad759 ("ip: convert tcp_sendmsg() to iov_iter primitives") it seems to trigger [0][1][2][3][4]. [0] http://lists.linbit.com/pipermail/drbd-user/2016-July/023112.html [1] http://lists.linbit.com/pipermail/drbd-dev/2016-March/003362.html [2] https://forums.grsecurity.net/viewtopic.php?f=3&t=4546 [3] https://ubuntuforums.org/showthread.php?t=2336150 [4] http://e2.howsolveproblem.com/i/1175162/ Fixes: b411b3637fa71fc ("The DRBD driver") Cc: stable@vger.kernel.org Cc: viro@zeniv.linux.org.uk Cc: christoph.lechleitner@iteg.at Cc: wolfgang.glas@iteg.at Reported-by: Christoph Lechleitner Tested-by: Christoph Lechleitner Signed-off-by: Richard Weinberger --- drivers/block/drbd/drbd_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c index 100be556e613..cbec781c2b57 100644 --- a/drivers/block/drbd/drbd_main.c +++ b/drivers/block/drbd/drbd_main.c @@ -1871,7 +1871,7 @@ int drbd_send(struct drbd_connection *connection, struct socket *sock, drbd_update_congested(connection); } do { - rv = kernel_sendmsg(sock, &msg, &iov, 1, size); + rv = kernel_sendmsg(sock, &msg, &iov, 1, size - sent); if (rv == -EAGAIN) { if (we_should_drop_the_connection(connection, sock)) break; -- 2.7.3