| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZuH4B7STmaY0AI1m@mini-arch> Date: Wed, 11 Sep 2024 13:05:27 -0700 From: Stanislav Fomichev <stfomichev@...il.com> To: Cong Wang <xiyou.wangcong@...il.com> Cc: Eric Dumazet <edumazet@...gle.com>, Qianqiang Liu <qianqiang.liu@....com>, davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] net: check the return value of the copy_from_sockptr On 09/11, Cong Wang wrote: > On Wed, Sep 11, 2024 at 11:49:32AM -0700, Stanislav Fomichev wrote: > > Can you explain what is not correct? > > > > Calling BPF_CGROUP_RUN_PROG_GETSOCKOPT with max_optlen=0 should not be > > a problem I think? (the buffer simply won't be accessible to the bpf prog) > > Sure. Sorry for not providing all the details. > > If I understand the behavior of copy_from_user() correctly, it may > return partially copied data in case of error, which then leads to a > partially-copied 'max_optlen'. > > So, do you expect a partially-copied max_optlen to be passed to the > eBPF program meanwhile the user still expects a complete one (since no > -EFAULT)? > > Thanks. Partial copy is basically the same as user giving us garbage input, right? That should still be handled correctly I think. __cgroup_bpf_run_filter_getsockopt (via sockopt_alloc_buf) should handle both cases correctly: - garbage input / partial copy resulting in negative number -> EINVAL - garbage input / partial copy resulting in too large number -> potentially EFAULT when trying to copy PAGE_SIZE-worth of data Also, for the EOPNOTSUPP case, we shouldn't even bother copying any data. Am I missing something?
Powered by blists - more mailing lists