| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6357942b-0b6e-1901-7dce-e308c9fac347@gmail.com>
Date: Thu, 6 Aug 2020 15:21:25 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: Christoph Hellwig <hch@....de>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Alexey Kuznetsov <kuznet@....inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
Eric Dumazet <edumazet@...gle.com>
Cc: linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, bpf@...r.kernel.org,
netfilter-devel@...r.kernel.org, coreteam@...filter.org,
linux-sctp@...r.kernel.org, linux-hams@...r.kernel.org,
linux-bluetooth@...r.kernel.org, bridge@...ts.linux-foundation.org,
linux-can@...r.kernel.org, dccp@...r.kernel.org,
linux-decnet-user@...ts.sourceforge.net,
linux-wpan@...r.kernel.org, linux-s390@...r.kernel.org,
mptcp@...ts.01.org, lvs-devel@...r.kernel.org,
rds-devel@....oracle.com, linux-afs@...ts.infradead.org,
tipc-discussion@...ts.sourceforge.net, linux-x25@...r.kernel.org,
Stefan Schmidt <stefan@...enfreihafen.org>
Subject: Re: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt
On 7/22/20 11:09 PM, Christoph Hellwig wrote:
> Rework the remaining setsockopt code to pass a sockptr_t instead of a
> plain user pointer. This removes the last remaining set_fs(KERNEL_DS)
> outside of architecture specific code.
>
> Signed-off-by: Christoph Hellwig <hch@....de>
> Acked-by: Stefan Schmidt <stefan@...enfreihafen.org> [ieee802154]
> ---
...
> diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
> index 594e01ad670aa6..874f01cd7aec42 100644
> --- a/net/ipv6/raw.c
> +++ b/net/ipv6/raw.c
> @@ -972,13 +972,13 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
> }
>
...
> static int do_rawv6_setsockopt(struct sock *sk, int level, int optname,
> - char __user *optval, unsigned int optlen)
> + sockptr_t optval, unsigned int optlen)
> {
> struct raw6_sock *rp = raw6_sk(sk);
> int val;
>
> - if (get_user(val, (int __user *)optval))
> + if (copy_from_sockptr(&val, optval, sizeof(val)))
> return -EFAULT;
>
converting get_user(...) to copy_from_sockptr(...) really assumed the optlen
has been validated to be >= sizeof(int) earlier.
Which is not always the case, for example here.
User application can fool us passing optlen=0, and a user pointer of exactly TASK_SIZE-1
Powered by blists - more mailing lists