lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 May 2020 07:32:14 +0000 From: David Laight <David.Laight@...LAB.COM> To: 'Marcelo Ricardo Leitner' <marcelo.leitner@...il.com> CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "linux-sctp@...r.kernel.org" <linux-sctp@...r.kernel.org>, Neil Horman <nhorman@...driver.com> Subject: RE: [PATCH net-next] sctp: Pull the user copies out of the individual sockopt functions. From: 'Marcelo Ricardo Leitner' > Sent: 21 May 2020 01:17 > On Wed, May 20, 2020 at 03:08:13PM +0000, David Laight wrote: > ... > > Only SCTP_SOCKOPT_CONNECTX3 contains an indirect pointer. > > It is also the only getsockopt() that wants to return a buffer > > and an error code. It is also definitely abusing getsockopt(). > ... > > @@ -1375,11 +1350,11 @@ struct compat_sctp_getaddrs_old { > > #endif > > > > static int sctp_getsockopt_connectx3(struct sock *sk, int len, > > - char __user *optval, > > - int __user *optlen) > > + struct sctp_getaddrs_old *param, > > + int *optlen) > > { > > - struct sctp_getaddrs_old param; > > sctp_assoc_t assoc_id = 0; > > + struct sockaddr *addrs; > > int err = 0; > > > > #ifdef CONFIG_COMPAT .. > > } else > > #endif > > { > > - if (len < sizeof(param)) > > + if (len < sizeof(*param)) > > return -EINVAL; > > - if (copy_from_user(¶m, optval, sizeof(param))) > > - return -EFAULT; > > } > > > > - err = __sctp_setsockopt_connectx(sk, (struct sockaddr __user *) > > - param.addrs, param.addr_num, > > + addrs = memdup_user(param->addrs, param->addr_num); > > I'm staring at this for a while now but I don't get this memdup_user. > AFAICT, params->addrs is not __user anymore here, because > sctp_getsockopt() copied the whole thing already, no? > Also weird because it is being called from kernel_sctp_getsockopt(), > which now has no knowledge of __user buffers. > Maybe I didn't get something from the patch description. The connectx3 sockopt buffer contains a pointer to the user buffer that contains the actual addresses. So a second copy_from_user() is needed. This does mean that this option can only be actioned from userspace. Kernel code can get the same functionality using one of the other interfaces to connectx(). David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
Powered by blists - more mailing lists