[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230719213903.65060-1-kuniyu@amazon.com>
Date: Wed, 19 Jul 2023 14:39:03 -0700
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <willemdebruijn.kernel@...il.com>
CC: <davem@...emloft.net>, <edumazet@...gle.com>, <gustavoars@...nel.org>,
<keescook@...omium.org>, <kuba@...nel.org>, <kuni1840@...il.com>,
<kuniyu@...zon.com>, <leitao@...ian.org>, <netdev@...r.kernel.org>,
<pabeni@...hat.com>, <syzkaller@...glegroups.com>
Subject: RE: [PATCH v1 net 2/2] af_packet: Fix warning of fortified memcpy() in packet_getname().
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
Date: Wed, 19 Jul 2023 17:34:13 -0400
> > > > The write seems to overflow, but actually not since we use struct
> > > > sockaddr_storage defined in __sys_getsockname().
> > >
> > > Which gives _K_SS_MAXSIZE == 128, minus offsetof(struct sockaddr_ll, sll_addr).
> > >
> > > For fun, there is another caller. getsockopt SO_PEERNAME also calls
> > > sock->ops->getname, with a buffer hardcoded to 128. Should probably
> > > use sizeof(sockaddr_storage) for documentation, at least.
> > >
> > > .. and I just noticed that that was attempted, but not completed
> > > https://lore.kernel.org/lkml/20140928135545.GA23220@type.youpi.perso.aquilenet.fr/
> >
> > Yes, acutally my first draft had the diff below, but I dropped it
> > because packet_getname() does not call memcpy() for SO_PEERNAME at
> > least, and same for getpeername().
> >
> > And interestingly there was a revival thread.
> > https://lore.kernel.org/netdev/20230719084415.1378696-1-leitao@debian.org/
>
> Ah interesting :) Topical.
>
> > I can include this in v2 if needed.
> > What do you think ?
> >
> > ---8<---
> > diff --git a/net/core/sock.c b/net/core/sock.c
> > index 9370fd50aa2c..f1e887c3115f 100644
> > --- a/net/core/sock.c
> > +++ b/net/core/sock.c
> > @@ -1815,14 +1815,14 @@ int sk_getsockopt(struct sock *sk, int level, int optname,
> >
> > case SO_PEERNAME:
> > {
> > - char address[128];
> > + struct sockaddr_storage address;
> >
> > - lv = sock->ops->getname(sock, (struct sockaddr *)address, 2);
> > + lv = sock->ops->getname(sock, (struct sockaddr *)&address, 2);
> > if (lv < 0)
> > return -ENOTCONN;
> > if (lv < len)
> > return -EINVAL;
> > - if (copy_to_sockptr(optval, address, len))
> > + if (copy_to_sockptr(optval, &address, len))
> > return -EFAULT;
> > goto lenout;
> > }
> > ---8<---
>
> I agree that it's a worthwhile change. I think it should be an
> independent commit. And since it does not fix a bug, target net-next.
Sure, will post a patch to net-next later.
Powered by blists - more mailing lists