| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f21589f1262640b09ca27ed20f8e6790@AcuMS.aculab.com>
Date: Fri, 7 Aug 2020 09:18:03 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Eric Dumazet' <eric.dumazet@...il.com>,
Christoph Hellwig <hch@....de>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Alexey Kuznetsov <kuznet@....inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
Eric Dumazet <edumazet@...gle.com>
CC: "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"bpf@...r.kernel.org" <bpf@...r.kernel.org>,
"netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>,
"coreteam@...filter.org" <coreteam@...filter.org>,
"linux-sctp@...r.kernel.org" <linux-sctp@...r.kernel.org>,
"linux-hams@...r.kernel.org" <linux-hams@...r.kernel.org>,
"linux-bluetooth@...r.kernel.org" <linux-bluetooth@...r.kernel.org>,
"bridge@...ts.linux-foundation.org"
<bridge@...ts.linux-foundation.org>,
"linux-can@...r.kernel.org" <linux-can@...r.kernel.org>,
"dccp@...r.kernel.org" <dccp@...r.kernel.org>,
"linux-decnet-user@...ts.sourceforge.net"
<linux-decnet-user@...ts.sourceforge.net>,
"linux-wpan@...r.kernel.org" <linux-wpan@...r.kernel.org>,
"linux-s390@...r.kernel.org" <linux-s390@...r.kernel.org>,
"mptcp@...ts.01.org" <mptcp@...ts.01.org>,
"lvs-devel@...r.kernel.org" <lvs-devel@...r.kernel.org>,
"rds-devel@....oracle.com" <rds-devel@....oracle.com>,
"linux-afs@...ts.infradead.org" <linux-afs@...ts.infradead.org>,
"tipc-discussion@...ts.sourceforge.net"
<tipc-discussion@...ts.sourceforge.net>,
"linux-x25@...r.kernel.org" <linux-x25@...r.kernel.org>,
Stefan Schmidt <stefan@...enfreihafen.org>
Subject: RE: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt
From: Eric Dumazet
> Sent: 06 August 2020 23:21
>
> On 7/22/20 11:09 PM, Christoph Hellwig wrote:
> > Rework the remaining setsockopt code to pass a sockptr_t instead of a
> > plain user pointer. This removes the last remaining set_fs(KERNEL_DS)
> > outside of architecture specific code.
> >
> > Signed-off-by: Christoph Hellwig <hch@....de>
> > Acked-by: Stefan Schmidt <stefan@...enfreihafen.org> [ieee802154]
> > ---
>
>
> ...
>
> > diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
> > index 594e01ad670aa6..874f01cd7aec42 100644
> > --- a/net/ipv6/raw.c
> > +++ b/net/ipv6/raw.c
> > @@ -972,13 +972,13 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
> > }
> >
>
> ...
>
> > static int do_rawv6_setsockopt(struct sock *sk, int level, int optname,
> > - char __user *optval, unsigned int optlen)
> > + sockptr_t optval, unsigned int optlen)
> > {
> > struct raw6_sock *rp = raw6_sk(sk);
> > int val;
> >
> > - if (get_user(val, (int __user *)optval))
> > + if (copy_from_sockptr(&val, optval, sizeof(val)))
> > return -EFAULT;
> >
>
> converting get_user(...) to copy_from_sockptr(...) really assumed the optlen
> has been validated to be >= sizeof(int) earlier.
>
> Which is not always the case, for example here.
>
> User application can fool us passing optlen=0, and a user pointer of exactly TASK_SIZE-1
Won't the user pointer force copy_from_sockptr() to call
copy_from_user() which will then do access_ok() on the entire
range and so return -EFAULT.
The only problems arise if the kernel code adds an offset to the
user address.
And the later patch added an offset to the copy functions.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Powered by blists - more mailing lists