lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230719213903.65060-1-kuniyu@amazon.com>
Date: Wed, 19 Jul 2023 14:39:03 -0700
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <willemdebruijn.kernel@...il.com>
CC: <davem@...emloft.net>, <edumazet@...gle.com>, <gustavoars@...nel.org>,
	<keescook@...omium.org>, <kuba@...nel.org>, <kuni1840@...il.com>,
	<kuniyu@...zon.com>, <leitao@...ian.org>, <netdev@...r.kernel.org>,
	<pabeni@...hat.com>, <syzkaller@...glegroups.com>
Subject: RE: [PATCH v1 net 2/2] af_packet: Fix warning of fortified memcpy() in packet_getname().

From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
Date: Wed, 19 Jul 2023 17:34:13 -0400
> > > > The write seems to overflow, but actually not since we use struct
> > > > sockaddr_storage defined in __sys_getsockname().
> > > 
> > > Which gives _K_SS_MAXSIZE == 128, minus offsetof(struct sockaddr_ll, sll_addr).
> > > 
> > > For fun, there is another caller. getsockopt SO_PEERNAME also calls
> > > sock->ops->getname, with a buffer hardcoded to 128. Should probably
> > > use sizeof(sockaddr_storage) for documentation, at least.
> > > 
> > > .. and I just noticed that that was attempted, but not completed
> > > https://lore.kernel.org/lkml/20140928135545.GA23220@type.youpi.perso.aquilenet.fr/
> > 
> > Yes, acutally my first draft had the diff below, but I dropped it
> > because packet_getname() does not call memcpy() for SO_PEERNAME at
> > least, and same for getpeername().
> > 
> > And interestingly there was a revival thread.
> > https://lore.kernel.org/netdev/20230719084415.1378696-1-leitao@debian.org/
> 
> Ah interesting :) Topical.
> 
> > I can include this in v2 if needed.
> > What do you think ?
> > 
> > ---8<---
> > diff --git a/net/core/sock.c b/net/core/sock.c
> > index 9370fd50aa2c..f1e887c3115f 100644
> > --- a/net/core/sock.c
> > +++ b/net/core/sock.c
> > @@ -1815,14 +1815,14 @@ int sk_getsockopt(struct sock *sk, int level, int optname,
> >  
> >  	case SO_PEERNAME:
> >  	{
> > -		char address[128];
> > +		struct sockaddr_storage address;
> >  
> > -		lv = sock->ops->getname(sock, (struct sockaddr *)address, 2);
> > +		lv = sock->ops->getname(sock, (struct sockaddr *)&address, 2);
> >  		if (lv < 0)
> >  			return -ENOTCONN;
> >  		if (lv < len)
> >  			return -EINVAL;
> > -		if (copy_to_sockptr(optval, address, len))
> > +		if (copy_to_sockptr(optval, &address, len))
> >  			return -EFAULT;
> >  		goto lenout;
> >  	}
> > ---8<---
> 
> I agree that it's a worthwhile change. I think it should be an
> independent commit. And since it does not fix a bug, target net-next.

Sure, will post a patch to net-next later.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ