On Mon, Jul 27, 2020 at 05:03:10PM +0200, Jason A. Donenfeld wrote:
> Hi Christoph,
>
> On Thu, Jul 23, 2020 at 08:08:54AM +0200, Christoph Hellwig wrote:
> > diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
> > index da933f99b5d517..42befbf12846c0 100644
> > --- a/net/ipv4/ip_sockglue.c
> > +++ b/net/ipv4/ip_sockglue.c
> > @@ -1422,7 +1422,8 @@ int ip_setsockopt(struct sock *sk, int level,
> > optname != IP_IPSEC_POLICY &&
> > optname != IP_XFRM_POLICY &&
> > !ip_mroute_opt(optname))
> > - err = nf_setsockopt(sk, PF_INET, optname, optval, optlen);
> > + err = nf_setsockopt(sk, PF_INET, optname, USER_SOCKPTR(optval),
> > + optlen);
> > #endif
> > return err;
> > }
> > diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
> > index 4697d09c98dc3e..f2a9680303d8c0 100644
> > --- a/net/ipv4/netfilter/ip_tables.c
> > +++ b/net/ipv4/netfilter/ip_tables.c
> > @@ -1102,7 +1102,7 @@ __do_replace(struct net *net, const char *name,
> > unsigned int valid_hooks,
> > }
> >
> > static int
> > -do_replace(struct net *net, const void __user *user, unsigned int len)
> > +do_replace(struct net *net, sockptr_t arg, unsigned int len)
> > {
> > int ret;
> > struct ipt_replace tmp;
> > @@ -1110,7 +1110,7 @@ do_replace(struct net *net, const void __user *user,
> > unsigned int len)
> > void *loc_cpu_entry;
> > struct ipt_entry *iter;
> >
> > - if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
> > + if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)
> > return -EFAULT;
> >
> > /* overflow check */
> > @@ -1126,8 +1126,8 @@ do_replace(struct net *net, const void __user *user,
> > unsigned int len)
> > return -ENOMEM;
> >
> > loc_cpu_entry = newinfo->entries;
> > - if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
> > - tmp.size) != 0) {
> > + sockptr_advance(arg, sizeof(tmp));
> > + if (copy_from_sockptr(loc_cpu_entry, arg, tmp.size) != 0) {
> > ret = -EFAULT;
> > goto free_newinfo;
> > }
>
> Something along this path seems to have broken with this patch. An
> invocation of `iptables -A INPUT -m length --length 1360 -j DROP` now
> fails, with
>
> nf_setsockopt->do_replace->translate_table->check_entry_size_and_hooks:
> (unsigned char *)e + e->next_offset > limit ==> TRUE
>
> resulting in the whole call chain returning -EINVAL. It bisects back to
> this commit. This is on net-next.
This is another use o sockptr_advance that Ido already found a problem
in. I'm looking into this at the moment..
|