Re: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt

To: Christoph Hellwig <hch@xxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, Jakub Kicinski <kuba@xxxxxxxxxx>, Alexei Starovoitov <ast@xxxxxxxxxx>, Daniel Borkmann <daniel@xxxxxxxxxxxxx>, Alexey Kuznetsov <kuznet@xxxxxxxxxxxxx>, Hideaki YOSHIFUJI <yoshfuji@xxxxxxxxxxxxxx>, Eric Dumazet <edumazet@xxxxxxxxxx>
Subject: Re: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt
Cc: linux-crypto@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, netdev@xxxxxxxxxxxxxxx, bpf@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxx, coreteam@xxxxxxxxxxxxx, linux-sctp@xxxxxxxxxxxxxxx, linux-hams@xxxxxxxxxxxxxxx, linux-bluetooth@xxxxxxxxxxxxxxx, bridge@xxxxxxxxxxxxxxxxxxxxxxxxxx, linux-can@xxxxxxxxxxxxxxx, dccp@xxxxxxxxxxxxxxx, linux-decnet-user@xxxxxxxxxxxxxxxxxxxxx, linux-wpan@xxxxxxxxxxxxxxx, linux-s390@xxxxxxxxxxxxxxx, mptcp@xxxxxxxxxxxx, lvs-devel@xxxxxxxxxxxxxxx, rds-devel@xxxxxxxxxxxxxx, linux-afs@xxxxxxxxxxxxxxxxxxx, tipc-discussion@xxxxxxxxxxxxxxxxxxxxx, linux-x25@xxxxxxxxxxxxxxx, Stefan Schmidt <stefan@xxxxxxxxxxxxxxxxxx>
From: Eric Dumazet <eric.dumazet@xxxxxxxxx>
Date: Thu, 6 Aug 2020 15:21:25 -0700

On 7/22/20 11:09 PM, Christoph Hellwig wrote:
> Rework the remaining setsockopt code to pass a sockptr_t instead of a
> plain user pointer.  This removes the last remaining set_fs(KERNEL_DS)
> outside of architecture specific code.
> Signed-off-by: Christoph Hellwig <hch@xxxxxx>
> Acked-by: Stefan Schmidt <stefan@xxxxxxxxxxxxxxxxxx> [ieee802154]
> ---


> diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
> index 594e01ad670aa6..874f01cd7aec42 100644
> --- a/net/ipv6/raw.c
> +++ b/net/ipv6/raw.c
> @@ -972,13 +972,13 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr 
> *msg, size_t len)
>  }


>  static int do_rawv6_setsockopt(struct sock *sk, int level, int optname,
> -                         char __user *optval, unsigned int optlen)
> +                            sockptr_t optval, unsigned int optlen)
>  {
>       struct raw6_sock *rp = raw6_sk(sk);
>       int val;
> -     if (get_user(val, (int __user *)optval))
> +     if (copy_from_sockptr(&val, optval, sizeof(val)))
>               return -EFAULT;

converting get_user(...)   to  copy_from_sockptr(...) really assumed the optlen
has been validated to be >= sizeof(int) earlier.

Which is not always the case, for example here.

User application can fool us passing optlen=0, and a user pointer of exactly 

<Prev in Thread] Current Thread [Next in Thread>