Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751707AbdFHUE2 (ORCPT ); Thu, 8 Jun 2017 16:04:28 -0400 Received: from shards.monkeyblade.net ([184.105.139.130]:35994 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751448AbdFHUE1 (ORCPT ); Thu, 8 Jun 2017 16:04:27 -0400 Date: Thu, 08 Jun 2017 16:04:25 -0400 (EDT) Message-Id: <20170608.160425.3981801836671654.davem@davemloft.net> To: mjurczyk@google.com Cc: xiyou.wangcong@gmail.com, hannes@stressinduktion.org, viro@zeniv.linux.org.uk, keescook@chromium.org, mszeredi@redhat.com, iboukris@gmail.com, avagin@openvz.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers From: David Miller In-Reply-To: <20170608091336.8274-1-mjurczyk@google.com> References: <20170608091336.8274-1-mjurczyk@google.com> X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Thu, 08 Jun 2017 12:22:47 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 672 Lines: 14 From: Mateusz Jurczyk Date: Thu, 8 Jun 2017 11:13:36 +0200 > Verify that the caller-provided sockaddr structure is large enough to > contain the sa_family field, before accessing it in bind() and connect() > handlers of the AF_UNIX socket. Since neither syscall enforces a minimum > size of the corresponding memory region, very short sockaddrs (zero or > one byte long) result in operating on uninitialized memory while > referencing .sa_family. > > Signed-off-by: Mateusz Jurczyk The sockaddr comes from a structure on the caller's kernel stack, even if the user gives a smaller length, it is legal to access that memory.