lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 14 May 2020 13:27:46 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     'Marcelo Ricardo Leitner' <marcelo.leitner@...il.com>,
        'Christoph Hellwig' <hch@....de>
CC:     "'David S. Miller'" <davem@...emloft.net>,
        'Jakub Kicinski' <kuba@...nel.org>,
        'Eric Dumazet' <edumazet@...gle.com>,
        'Alexey Kuznetsov' <kuznet@....inr.ac.ru>,
        'Hideaki YOSHIFUJI' <yoshfuji@...ux-ipv6.org>,
        "'Vlad Yasevich'" <vyasevich@...il.com>,
        'Neil Horman' <nhorman@...driver.com>,
        "'Jon Maloy'" <jmaloy@...hat.com>,
        'Ying Xue' <ying.xue@...driver.com>,
        "'drbd-dev@...ts.linbit.com'" <drbd-dev@...ts.linbit.com>,
        "'linux-block@...r.kernel.org'" <linux-block@...r.kernel.org>,
        "'linux-kernel@...r.kernel.org'" <linux-kernel@...r.kernel.org>,
        "'linux-rdma@...r.kernel.org'" <linux-rdma@...r.kernel.org>,
        "'linux-nvme@...ts.infradead.org'" <linux-nvme@...ts.infradead.org>,
        "'target-devel@...r.kernel.org'" <target-devel@...r.kernel.org>,
        "'linux-afs@...ts.infradead.org'" <linux-afs@...ts.infradead.org>,
        "'linux-cifs@...r.kernel.org'" <linux-cifs@...r.kernel.org>,
        "'cluster-devel@...hat.com'" <cluster-devel@...hat.com>,
        "'ocfs2-devel@....oracle.com'" <ocfs2-devel@....oracle.com>,
        "'netdev@...r.kernel.org'" <netdev@...r.kernel.org>,
        "'linux-sctp@...r.kernel.org'" <linux-sctp@...r.kernel.org>,
        "'ceph-devel@...r.kernel.org'" <ceph-devel@...r.kernel.org>,
        "'rds-devel@....oracle.com'" <rds-devel@....oracle.com>,
        "'linux-nfs@...r.kernel.org'" <linux-nfs@...r.kernel.org>
Subject: RE: [PATCH 32/33] sctp: add sctp_sock_get_primary_addr

From: David Laight
> Sent: 14 May 2020 13:30
> Subject: RE: [PATCH 32/33] sctp: add sctp_sock_get_primary_addr
> 
> From: David Laight
> > Sent: 14 May 2020 10:51
> > From: Marcelo Ricardo Leitner
> > > Sent: 13 May 2020 19:03
> > >
> > > On Wed, May 13, 2020 at 08:26:47AM +0200, Christoph Hellwig wrote:
> > > > Add a helper to directly get the SCTP_PRIMARY_ADDR sockopt from kernel
> > > > space without going through a fake uaccess.
> > >
> > > Same comment as on the other dlm/sctp patch.
> >
> > Wouldn't it be best to write sctp_[gs]etsockotp() that
> > use a kernel buffer and then implement the user-space
> > calls using a wrapper that does the copies to an on-stack
> > (or malloced if big) buffer.
> 
> Actually looking at __sys_setsockopt() it calls
> BPF_CGROUP_RUN_PROG_SETSOCKOPT() which (by the look of it)
> can copy the user buffer into malloc()ed memory and
> cause set_fs(KERNEL_DS) be called.
> 
> The only way to get rid of that set_fs() is to always
> have the buffer in kernel memory when the underlying
> setsockopt() code is called.

And having started to try coding __sys_setsockopt()
and then found the compat code I suspect that would
be a whole lot more sane if the buffer was in kernel
and it knew that at least (say) 64 bytes were allocated.

The whole compat_alloc_user_space() 'crap' could probably go.

Actually it looks like an application can avoid whatever
checks BPF_CGROUP_RUN_PROG_SETSOCKOPT() is trying to do
by using the 32bit compat ioctls.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists