Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp1308126ybg; Mon, 27 Jul 2020 13:26:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJytG+rGccrxZixwCKvO6XSun8Q7qi9+nQjkZg240skkuGZBA01J0Rq3foe5z3NWyl++LFVq X-Received: by 2002:a17:906:d8b6:: with SMTP id qc22mr8257459ejb.468.1595881614646; Mon, 27 Jul 2020 13:26:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595881614; cv=none; d=google.com; s=arc-20160816; b=i3FjzWjv3IvzKGewHxCqnn58cx6N2h1Hnw7lNBkk5+fl6D1/eWxnaQqEHlkDkzdHMg BhLnTRBznJPYRVNZd/Ed7mDAaeTO2kyz6Cil4dZcux9P9slk56oPgZaOX7/kGOleS1ZW 3t9MciNggu8pc/bV0m92wi7+WvxQ29HIliRlnFSlzkySydg8983wYaolfwm0sFjHOW8T GINGYi5ifs02bVygXTh84BpP2yMgKBnMK4+EM+QjZkVhZc1+sr5eLdCFzwXrg/0ghCfe kcIMDaOdWmBpHsmd6WRw9il2mCiZMZ0s31SMV73MsbVkAFQ2YELiNK7E/YmT3NCoXONE 6/QA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=pu7h4RlIujtR3C6GwE9iX7fAiXZxt+e1ZRpND9mEss4=; b=ZDROmlQGVsAt7UlqKwZjQRL3cKcdrw5hioQQTN431OcQNFQiES2iUF9wkY05oX5qpZ QdCkrLltKhSknW6bgnHYRgvvbU0un/2Zm3P4uUoSRkp/QNQ2236k4eEeI1L8hxZ17h26 x8p3wwJZSWLupMhtBK+cvcDm8l5PXy1gfASG+GcdaBp/2F4eA84ICQDhoejYgLB3Z9rM 4aYA7fSy2vPBCCqryif0kH7bUu5W+cjKZTWdXV6SYg4xSCJj8Mjp84C+qivz4qT5h9Oh jGuoaztzMeoNYW4EDokNIAl7n929NfuBbqzJ2Nwg9403uSBWIk/CGgwchemfFBleIYda W2Gw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p8si5753410ejf.352.2020.07.27.13.26.32; Mon, 27 Jul 2020 13:26:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728985AbgG0UZ7 (ORCPT + 99 others); Mon, 27 Jul 2020 16:25:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37546 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728039AbgG0UZ7 (ORCPT ); Mon, 27 Jul 2020 16:25:59 -0400 Received: from shards.monkeyblade.net (shards.monkeyblade.net [IPv6:2620:137:e000::1:9]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F6C0C061794; Mon, 27 Jul 2020 13:25:59 -0700 (PDT) Received: from localhost (unknown [IPv6:2601:601:9f00:477::3d5]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 28E0312781F88; Mon, 27 Jul 2020 13:09:14 -0700 (PDT) Date: Mon, 27 Jul 2020 13:25:58 -0700 (PDT) Message-Id: <20200727.132558.1865871927633102126.davem@davemloft.net> To: viro@zeniv.linux.org.uk Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, nbowler@draconx.ca Subject: Re: [PATCH net] fix a braino in cmsghdr_from_user_compat_to_kern() From: David Miller In-Reply-To: <20200727182220.GI794331@ZenIV.linux.org.uk> References: <20200727160554.GG794331@ZenIV.linux.org.uk> <20200727161319.GH794331@ZenIV.linux.org.uk> <20200727182220.GI794331@ZenIV.linux.org.uk> X-Mailer: Mew version 6.8 on Emacs 26.3 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Mon, 27 Jul 2020 13:09:14 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Al Viro Date: Mon, 27 Jul 2020 19:22:20 +0100 > commit 547ce4cfb34c ("switch cmsghdr_from_user_compat_to_kern() to > copy_from_user()") missed one of the places where ucmlen should've been > replaced with cmsg.cmsg_len, now that we are fetching the entire struct > rather than doing it field-by-field. > > As the result, compat sendmsg() with several different-sized cmsg > attached started to fail with EINVAL. Trivial to fix, fortunately. > > Reported-by: Nick Bowler > Tested-by: Nick Bowler > Fixes: 547ce4cfb34c ("switch cmsghdr_from_user_compat_to_kern() to copy_from_user()") > > Signed-off-by: Al Viro Applied, thanks Al.