From c5a4e100085ccbd063df36706cccf93951439cb7 Mon Sep 17 00:00:00 2001 From: Andrei Vagin Date: Mon, 22 Feb 2021 11:37:13 -0800 Subject: unix: sendmmsg and recvmsg have to cap a number of message to UIO_MAXIOV Reported-by: syzbot+f2489ba0b999a45d1ad1@syzkaller.appspotmail.com PiperOrigin-RevId: 358866218 --- pkg/sentry/syscalls/linux/sys_socket.go | 8 ++++++++ pkg/sentry/syscalls/linux/vfs2/socket.go | 8 ++++++++ 2 files changed, 16 insertions(+) (limited to 'pkg/sentry/syscalls') diff --git a/pkg/sentry/syscalls/linux/sys_socket.go b/pkg/sentry/syscalls/linux/sys_socket.go index 686392cc8..c6adfe06b 100644 --- a/pkg/sentry/syscalls/linux/sys_socket.go +++ b/pkg/sentry/syscalls/linux/sys_socket.go @@ -657,6 +657,10 @@ func RecvMMsg(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Sysc return 0, nil, syserror.EINVAL } + if vlen > linux.UIO_MAXIOV { + vlen = linux.UIO_MAXIOV + } + // Reject flags that we don't handle yet. if flags & ^(baseRecvFlags|linux.MSG_CMSG_CLOEXEC|linux.MSG_ERRQUEUE) != 0 { return 0, nil, syserror.EINVAL @@ -938,6 +942,10 @@ func SendMMsg(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Sysc return 0, nil, syserror.EINVAL } + if vlen > linux.UIO_MAXIOV { + vlen = linux.UIO_MAXIOV + } + // Get socket from the file descriptor. file := t.GetFile(fd) if file == nil { diff --git a/pkg/sentry/syscalls/linux/vfs2/socket.go b/pkg/sentry/syscalls/linux/vfs2/socket.go index 7636ca453..346fd1cea 100644 --- a/pkg/sentry/syscalls/linux/vfs2/socket.go +++ b/pkg/sentry/syscalls/linux/vfs2/socket.go @@ -660,6 +660,10 @@ func RecvMMsg(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Sysc return 0, nil, syserror.EINVAL } + if vlen > linux.UIO_MAXIOV { + vlen = linux.UIO_MAXIOV + } + // Reject flags that we don't handle yet. if flags & ^(baseRecvFlags|linux.MSG_CMSG_CLOEXEC|linux.MSG_ERRQUEUE) != 0 { return 0, nil, syserror.EINVAL @@ -941,6 +945,10 @@ func SendMMsg(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Sysc return 0, nil, syserror.EINVAL } + if vlen > linux.UIO_MAXIOV { + vlen = linux.UIO_MAXIOV + } + // Get socket from the file descriptor. file := t.GetFileVFS2(fd) if file == nil { -- cgit v1.2.3