lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 19 Jul 2023 17:34:13 -0400
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>, 
 willemdebruijn.kernel@...il.com
Cc: davem@...emloft.net, 
 edumazet@...gle.com, 
 gustavoars@...nel.org, 
 keescook@...omium.org, 
 kuba@...nel.org, 
 kuni1840@...il.com, 
 kuniyu@...zon.com, 
 leitao@...ian.org, 
 netdev@...r.kernel.org, 
 pabeni@...hat.com, 
 syzkaller@...glegroups.com
Subject: RE: [PATCH v1 net 2/2] af_packet: Fix warning of fortified memcpy()
 in packet_getname().

> >  
> > > The write seems to overflow, but actually not since we use struct
> > > sockaddr_storage defined in __sys_getsockname().
> > 
> > Which gives _K_SS_MAXSIZE == 128, minus offsetof(struct sockaddr_ll, sll_addr).
> > 
> > For fun, there is another caller. getsockopt SO_PEERNAME also calls
> > sock->ops->getname, with a buffer hardcoded to 128. Should probably
> > use sizeof(sockaddr_storage) for documentation, at least.
> > 
> > .. and I just noticed that that was attempted, but not completed
> > https://lore.kernel.org/lkml/20140928135545.GA23220@type.youpi.perso.aquilenet.fr/
> 
> Yes, acutally my first draft had the diff below, but I dropped it
> because packet_getname() does not call memcpy() for SO_PEERNAME at
> least, and same for getpeername().
> 
> And interestingly there was a revival thread.
> https://lore.kernel.org/netdev/20230719084415.1378696-1-leitao@debian.org/

Ah interesting :) Topical.

> I can include this in v2 if needed.
> What do you think ?
> 
> ---8<---
> diff --git a/net/core/sock.c b/net/core/sock.c
> index 9370fd50aa2c..f1e887c3115f 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -1815,14 +1815,14 @@ int sk_getsockopt(struct sock *sk, int level, int optname,
>  
>  	case SO_PEERNAME:
>  	{
> -		char address[128];
> +		struct sockaddr_storage address;
>  
> -		lv = sock->ops->getname(sock, (struct sockaddr *)address, 2);
> +		lv = sock->ops->getname(sock, (struct sockaddr *)&address, 2);
>  		if (lv < 0)
>  			return -ENOTCONN;
>  		if (lv < len)
>  			return -EINVAL;
> -		if (copy_to_sockptr(optval, address, len))
> +		if (copy_to_sockptr(optval, &address, len))
>  			return -EFAULT;
>  		goto lenout;
>  	}
> ---8<---

I agree that it's a worthwhile change. I think it should be an
independent commit. And since it does not fix a bug, target net-next.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ