Linux Ethernet Bridging - Aug 2020 - [Bridge] [PATCH 25/26] net: pass a sockptr_t into ->setsockopt

On 7/22/20 11:09 PM, Christoph Hellwig wrote:
> Rework the remaining setsockopt code to pass a sockptr_t instead of a
> plain user pointer.  This removes the last remaining set_fs(KERNEL_DS)
> outside of architecture specific code.
> 
> Signed-off-by: Christoph Hellwig <hch at lst.de>
> Acked-by: Stefan Schmidt <stefan at datenfreihafen.org> [ieee802154]
> ---

...
> diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
> index 594e01ad670aa6..874f01cd7aec42 100644
> --- a/net/ipv6/raw.c
> +++ b/net/ipv6/raw.c
> @@ -972,13 +972,13 @@ static int rawv6_sendmsg(struct sock *sk, struct
msghdr *msg, size_t len)
>  }
>  
...
>  static int do_rawv6_setsockopt(struct sock *sk, int level, int optname,
> -			    char __user *optval, unsigned int optlen)
> +			       sockptr_t optval, unsigned int optlen)
>  {
>  	struct raw6_sock *rp = raw6_sk(sk);
>  	int val;
>  
> -	if (get_user(val, (int __user *)optval))
> +	if (copy_from_sockptr(&val, optval, sizeof(val)))
>  		return -EFAULT;
>  
converting get_user(...)   to  copy_from_sockptr(...) really assumed the optlen
has been validated to be >= sizeof(int) earlier.

Which is not always the case, for example here.

User application can fool us passing optlen=0, and a user pointer of exactly
TASK_SIZE-1

On Thu, Aug 06, 2020 at 03:21:25PM -0700, Eric Dumazet
wrote:
> converting get_user(...)   to  copy_from_sockptr(...) really assumed the
optlen
> has been validated to be >= sizeof(int) earlier.
> 
> Which is not always the case, for example here.
Yes.  And besides the bpfilter mess the main reason I even had to add
the sockptr vs just copying optlen in the high-level socket code.

Please take a look at the patch in the other thread to just revert to
the "dumb" version everywhere.

From: Eric Dumazet
> Sent: 06 August 2020 23:21
> 
> On 7/22/20 11:09 PM, Christoph Hellwig wrote:
> > Rework the remaining setsockopt code to pass a sockptr_t instead of a
> > plain user pointer.  This removes the last remaining set_fs(KERNEL_DS)
> > outside of architecture specific code.
> >
> > Signed-off-by: Christoph Hellwig <hch at lst.de>
> > Acked-by: Stefan Schmidt <stefan at datenfreihafen.org>
[ieee802154]
> > ---
> 
> 
> ...
> 
> > diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
> > index 594e01ad670aa6..874f01cd7aec42 100644
> > --- a/net/ipv6/raw.c
> > +++ b/net/ipv6/raw.c
> > @@ -972,13 +972,13 @@ static int rawv6_sendmsg(struct sock *sk, struct
msghdr *msg, size_t len)
> >  }
> >
> 
> ...
> 
> >  static int do_rawv6_setsockopt(struct sock *sk, int level, int
optname,
> > -			    char __user *optval, unsigned int optlen)
> > +			       sockptr_t optval, unsigned int optlen)
> >  {
> >  	struct raw6_sock *rp = raw6_sk(sk);
> >  	int val;
> >
> > -	if (get_user(val, (int __user *)optval))
> > +	if (copy_from_sockptr(&val, optval, sizeof(val)))
> >  		return -EFAULT;
> >
> 
> converting get_user(...)   to  copy_from_sockptr(...) really assumed the
optlen
> has been validated to be >= sizeof(int) earlier.
> 
> Which is not always the case, for example here.
> 
> User application can fool us passing optlen=0, and a user pointer of
exactly TASK_SIZE-1
Won't the user pointer force copy_from_sockptr() to call
copy_from_user() which will then do access_ok() on the entire
range and so return -EFAULT.

The only problems arise if the kernel code adds an offset to the
user address.
And the later patch added an offset to the copy functions.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT,
UK
Registration No: 1397386 (Wales)