Permalink
Browse files

udp: properly support MSG_PEEK with truncated buffers

Backport of this upstream commit into stable kernels :
89c22d8c3b27 ("net: Fix skb csum races when peeking")
exposed a bug in udp stack vs MSG_PEEK support, when user provides
a buffer smaller than skb payload.

In this case,
skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
                                 msg->msg_iov);
returns -EFAULT.

This bug does not happen in upstream kernels since Al Viro did a great
job to replace this into :
skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
This variant is safe vs short buffers.

For the time being, instead reverting Herbert Xu patch and add back
skb->ip_summed invalid changes, simply store the result of
udp_lib_checksum_complete() so that we avoid computing the checksum a
second time, and avoid the problematic
skb_copy_and_csum_datagram_iovec() call.

This patch can be applied on recent kernels as it avoids a double
checksumming, then backported to stable kernels as a bug fix.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2016-10229

Change-Id: I2c372dd5340b004da21394f6fb54d35f94a23b79
(cherry picked from commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191)
  • Loading branch information...
Eric Dumazet Sean McCreary
Eric Dumazet authored and Sean McCreary committed Dec 30, 2015
1 parent adee9b8 commit 8711b467e96e1172c595ca7b3eaf15918282ce6a
Showing with 8 additions and 4 deletions.
  1. +4 −2 net/ipv4/udp.c
  2. +4 −2 net/ipv6/udp.c
@@ -1172,6 +1172,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
int peeked, off = 0;
int err;
int is_udplite = IS_UDPLITE(sk);
bool checksum_valid = false;
bool slow;

/*
@@ -1203,11 +1204,12 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
*/

if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
if (udp_lib_checksum_complete(skb))
checksum_valid = !udp_lib_checksum_complete(skb);
if (!checksum_valid)
goto csum_copy_err;
}

if (skb_csum_unnecessary(skb))
if (checksum_valid || skb_csum_unnecessary(skb))
err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
msg->msg_iov, copied);
else {
@@ -345,6 +345,7 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk,
int peeked, off = 0;
int err;
int is_udplite = IS_UDPLITE(sk);
bool checksum_valid = false;
int is_udp4;
bool slow;

@@ -379,11 +380,12 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk,
*/

if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
if (udp_lib_checksum_complete(skb))
checksum_valid = !udp_lib_checksum_complete(skb);
if (!checksum_valid)
goto csum_copy_err;
}

if (skb_csum_unnecessary(skb))
if (checksum_valid || skb_csum_unnecessary(skb))
err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
msg->msg_iov, copied );
else {

0 comments on commit 8711b46

Please sign in to comment.