While running SCTP tests on 2.6.13-rc5 with x86_64 and ppc64 based
platforms, I have noticed a problem that may be a potential security
issue. The SCTP test suite attempt to test invalid flag by sending down
a -1 in the flag field for calls such as sendmsg() and recvmsg(). With
the CONFIG_COMPAT flag turned on, MSG_CMSG_COMPAT is set at 0x80000000
for socket flags. Even though the test app is compiled as 64bit, the
invalid flag -1 becomes f's and thus MSG_CMSG_COMPAT flag is passed
through to the kernel and all paths that MSG_CMSG_COMPAT are checked are
invoked. In this case in sendmsg() verify_compat_iovec() was called
instead of verify_iovec and the 64bit user addr has its top 32bits
chopped off and sent to the copy_from_user() call and at times triggers
-EFAULT due to invalid user addr, or copy junk probably if the user addr
happens to be valid..... Is there any chance malicious code can cause
problems by exploiting this?
Should the kernel intercept the flags field at the point where it knows
whether it's invoking a 32bit call or 64bit and strip the flag if it
shouldn't be there to prevent something like this?
Please cc me on replies. Thx!
--
Dave
------------------------------------------------------
Dave Jiang
Software Engineer Phone: (480) 517-0372
MontaVista Software, Inc. Fax: (480) 517-0262
2141 E Broadway Rd, St 108 Web: www.mvista.com
Tempe, AZ 85282 mailto:djiang@xxxxxxxxxx
------------------------------------------------------
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
