| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <650af39492a56_37ac7329469@willemb.c.googlers.com.notmuch>
Date: Wed, 20 Sep 2023 09:28:52 -0400
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
To: Jordan Rife <jrife@...gle.com>,
davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
willemdebruijn.kernel@...il.com,
netdev@...r.kernel.org
Cc: dborkman@...nel.org,
Jordan Rife <jrife@...gle.com>,
stable@...r.kernel.org
Subject: Re: [PATCH net v4 2/3] net: prevent rewrite of msg_name in
sock_sendmsg()
Jordan Rife wrote:
> Callers of sock_sendmsg(), and similarly kernel_sendmsg(), in kernel
> space may observe their value of msg_name change in cases where BPF
> sendmsg hooks rewrite the send address. This has been confirmed to break
> NFS mounts running in UDP mode and has the potential to break other
> systems.
>
> This patch:
>
> 1) Creates a new function called __sock_sendmsg() with same logic as the
> old sock_sendmsg() function.
> 2) Replaces calls to sock_sendmsg() made by __sys_sendto() and
> __sys_sendmsg() with __sock_sendmsg() to avoid an unnecessary copy,
> as these system calls are already protected.
> 3) Modifies sock_sendmsg() so that it makes a copy of msg_name if
> present before passing it down the stack to insulate callers from
> changes to the send address.
>
> Link: https://lore.kernel.org/netdev/20230912013332.2048422-1-jrife@google.com/
> Fixes: 1cedee13d25a ("bpf: Hooks for sys_sendmsg")
> Cc: stable@...r.kernel.org
> Signed-off-by: Jordan Rife <jrife@...gle.com>
Reviewed-by: Willem de Bruijn <willemb@...gle.com>
Powered by blists - more mailing lists