On Thu, Apr 13, 2023 at 09:49:18PM +0100, Al Viro wrote: > On Thu, Apr 13, 2023 at 09:39:22PM +0100, David Howells wrote: > > Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > > > > > Note that io_sendmsg_prep() handles both IORING_OP_SENDMSG and IORING_OP_SEND, > > > so this pair of functions can hit the same request. And sqe->msg_flags is > > > not sanitized at all - it comes straight from user buffer. > > > > Assuming ____sys_sendmsg() is fixed, I think it should be sufficient to make > > io_send() and io_send_zc(). io_sendmsg() and io_sendmsg_zc() will go through > > ____sys_sendmsg(). > > Sure; what I wanted to point out was that despite the name, > io_sendmsg_prep() gets used not only with io_sendmsg(). io_sendmsg() > does go through ____sys_sendmsg(), but io_send() goes straight to > sock_sendmsg() and evades all your checks... Incidentally, having ____sendmsg and ___sendmsg in the same file is more than slightly antisocial - compiler can sort it out, but there are human readers as well. We have ____sys_sendmsg ___sys_sendmsg __sys_sendmsg __sys_sendmmsg next to each other. Maze of twisty little identifiers, all alike...
