diff options
author | David Woodhouse <dwmw2@infradead.org> | 2005-09-06 09:30:10 +0100 |
---|---|---|
committer | Chris Wright <chrisw@osdl.org> | 2005-09-09 19:42:53 -0700 |
commit | c255cda2af84db91d19944c092baf5a61c633181 (patch) | |
tree | e9f57016e443ba612b460940b1c58ce91a4d45ff /drivers/md/raid1.c | |
parent | cf43ea034180996242226eac042889c5b06c7df7 (diff) |
[PATCH] 32bit sendmsg() flaw (CAN-2005-2490)
When we copy 32bit ->msg_control contents to kernel, we walk the same
userland data twice without sanity checks on the second pass.
Second version of this patch: the original broke with 64-bit arches
running 32-bit-compat-mode executables doing sendmsg() syscalls with
unaligned CMSG data areas
Another thing is that we use kmalloc() to allocate and sock_kfree_s()
to free afterwards; less serious, but also needs fixing.
Patch by Al Viro, David Miller, David Woodhouse
(sparc64 clean compile fix from David Miller)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/md/raid1.c')
0 files changed, 0 insertions, 0 deletions