RE: get rid of the address_space override in setsockopt v2

get rid of the address_space override in setsockopt v2 · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 02/26] net/bpfilter: split __bpfilter_process_sockopt · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 06/26] net: switch sock_setbindtodevice to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 10/26] netfilter: remove the unused user argument to do_update_counters · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 14/26] net/ipv4: switch ip_mroute_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 15/26] net/ipv4: merge ip_options_get and ip_options_get_from_user · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 19/26] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
Re: [PATCH 19/26] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t · Ido Schimmel <hidden> · 2020-07-27
Re: [PATCH 19/26] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-27
Re: [PATCH 19/26] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t · Ido Schimmel <hidden> · 2020-07-27
Re: [PATCH 19/26] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-27
Re: [PATCH 19/26] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t · Ido Schimmel <hidden> · 2020-07-27
RE: [PATCH 19/26] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t · David Laight <hidden> · 2020-07-27
[PATCH 26/26] net: optimize the sockptr_t for unified kernel/user address spaces · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 25/26] net: pass a sockptr_t into ->setsockopt · Christoph Hellwig <hch@lst.de> · 2020-07-23
Re: [MPTCP] [PATCH 25/26] net: pass a sockptr_t into ->setsockopt · Matthieu Baerts <hidden> · 2020-07-23
Re: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt · Eric Dumazet <hidden> · 2020-08-06
Re: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt · Christoph Hellwig <hch@lst.de> · 2020-08-07
RE: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt · David Laight <hidden> · 2020-08-07
Re: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt · Eric Dumazet <hidden> · 2020-08-07
RE: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt · David Laight <hidden> · 2020-08-08
[PATCH 18/26] net/ipv6: split up ipv6_flowlabel_opt · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 17/26] net/ipv6: switch ip6_mroute_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 24/26] net/tcp: switch do_tcp_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 16/26] net/ipv4: switch do_ip_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 22/26] net/udp: switch udp_lib_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 23/26] net/tcp: switch ->md5_parse to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 21/26] net/ipv6: switch do_ipv6_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 20/26] net/ipv6: factor out a ipv6_set_opt_hdr helper · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 13/26] bpfilter: switch bpfilter_ip_set_sockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
RE: [PATCH 13/26] bpfilter: switch bpfilter_ip_set_sockopt to sockptr_t · David Laight <hidden> · 2020-07-23
Re: [PATCH 13/26] bpfilter: switch bpfilter_ip_set_sockopt to sockptr_t · 'Christoph Hellwig' <hch@lst.de> · 2020-07-23
[PATCH 11/26] netfilter: switch xt_copy_counters to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
Re: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · "Jason A. Donenfeld" <Jason@zx2c4.com> · 2020-07-27
Re: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-27
Re: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · "Jason A. Donenfeld" <Jason@zx2c4.com> · 2020-07-27
Re: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-27
RE: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · David Laight <hidden> · 2020-07-28
Re: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · "Jason A. Donenfeld" <Jason@zx2c4.com> · 2020-07-28
Re: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-27
Re: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · "Jason A. Donenfeld" <Jason@zx2c4.com> · 2020-07-27
[PATCH 09/26] net/xfrm: switch xfrm_user_policy to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 01/26] bpfilter: fix up a sparse annotation · Christoph Hellwig <hch@lst.de> · 2020-07-23
Re: [PATCH 01/26] bpfilter: fix up a sparse annotation · Luc Van Oostenryck <hidden> · 2020-07-23
[PATCH 08/26] net: switch sock_set_timeout to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
Re: [MPTCP] [PATCH 08/26] net: switch sock_set_timeout to sockptr_t · Matthieu Baerts <hidden> · 2020-07-23
[PATCH 07/26] net: switch sock_set_timeout to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 05/26] net: switch copy_bpf_fprog_from_user to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 04/26] net: add a new sockptr_t type · Christoph Hellwig <hch@lst.de> · 2020-07-23
Re: [PATCH 04/26] net: add a new sockptr_t type · Jan Engelhardt <hidden> · 2020-07-23
Re: [PATCH 04/26] net: add a new sockptr_t type · Eric Dumazet <edumazet@google.com> · 2020-07-23
Re: [PATCH 04/26] net: add a new sockptr_t type · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 03/26] bpfilter: reject kernel addresses · Christoph Hellwig <hch@lst.de> · 2020-07-23
RE: [PATCH 03/26] bpfilter: reject kernel addresses · David Laight <hidden> · 2020-07-23
Re: [PATCH 03/26] bpfilter: reject kernel addresses · 'Christoph Hellwig' <hch@lst.de> · 2020-07-23
RE: [PATCH 03/26] bpfilter: reject kernel addresses · David Laight <hidden> · 2020-07-23
Re: get rid of the address_space override in setsockopt v2 · David Miller <davem@davemloft.net> · 2020-07-24
Re: get rid of the address_space override in setsockopt v2 · Christoph Hellwig <hch@lst.de> · 2020-07-26
Re: get rid of the address_space override in setsockopt v2 · David Miller <davem@davemloft.net> · 2020-07-26
RE: get rid of the address_space override in setsockopt v2 · David Laight <hidden> · 2020-07-27
Re: get rid of the address_space override in setsockopt v2 · Al Viro <viro@zeniv.linux.org.uk> · 2020-07-27
RE: get rid of the address_space override in setsockopt v2 · David Laight <hidden> · 2020-07-27

From: David Laight <hidden>
Date: 2020-07-27 09:51:54
Also in: bpf, bridge, linux-bluetooth, linux-can, linux-crypto, linux-hams, linux-s390, linux-sctp, lkml, lvs-devel, mptcp, netfilter-devel

From: David Miller

Sent: 24 July 2020 23:44

From: Christoph Hellwig <hch@lst.de>
Date: Thu, 23 Jul 2020 08:08:42 +0200

quoted

setsockopt is the last place in architecture-independ code that still
uses set_fs to force the uaccess routines to operate on kernel pointers.

This series adds a new sockptr_t type that can contained either a kernel
or user pointer, and which has accessors that do the right thing, and
then uses it for setsockopt, starting by refactoring some low-level
helpers and moving them over to it before finally doing the main
setsockopt method.

Note that apparently the eBPF selftests do not even cover this path, so
the series has been tested with a testing patch that always copies the
data first and passes a kernel pointer.  This is something that works for
most common sockopts (and is something that the ePBF support relies on),
but unfortunately in various corner cases we either don't use the passed
in length, or in one case actually copy data back from setsockopt, or in
case of bpfilter straight out do not work with kernel pointers at all.

Against net-next/master.

Changes since v1:
 - check that users don't pass in kernel addresses
 - more bpfilter cleanups
 - cosmetic mptcp tweak

Series applied to net-next, I'm build testing and will push this out when
that is done.

Hmmm... this code does:

int __sys_setsockopt(int fd, int level, int optname, char __user *user_optval,
		int optlen)
{
	sockptr_t optval;
	char *kernel_optval = NULL;
	int err, fput_needed;
	struct socket *sock;

	if (optlen < 0)
		return -EINVAL;

	err = init_user_sockptr(&optval, user_optval);
	if (err)
		return err;

And the called code does:
	if (copy_from_sockptr(&opt, optbuf, sizeof(opt)))
		return -EFAULT;


Which means that only the base of the user's buffer is checked
for being in userspace.

I'm sure there is code that processes options in chunks.
This probably means it is possible to put a chunk boundary
at the end of userspace and continue processing the very start
of kernel memory.

At best this faults on the kernel copy code and crashes the system.

Maybe there wasn't any code that actually incremented the user address.
But it is hardly robust.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help