On Thu, Apr 13, 2023 at 09:39:22PM +0100, David Howells wrote: > Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > > > Note that io_sendmsg_prep() handles both IORING_OP_SENDMSG and IORING_OP_SEND, > > so this pair of functions can hit the same request. And sqe->msg_flags is > > not sanitized at all - it comes straight from user buffer. > > Assuming ____sys_sendmsg() is fixed, I think it should be sufficient to make > io_send() and io_send_zc(). io_sendmsg() and io_sendmsg_zc() will go through > ____sys_sendmsg(). Sure; what I wanted to point out was that despite the name, io_sendmsg_prep() gets used not only with io_sendmsg(). io_sendmsg() does go through ____sys_sendmsg(), but io_send() goes straight to sock_sendmsg() and evades all your checks...
