Re: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt

get rid of the address_space override in setsockopt v2 · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 02/26] net/bpfilter: split __bpfilter_process_sockopt · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 06/26] net: switch sock_setbindtodevice to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 10/26] netfilter: remove the unused user argument to do_update_counters · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 14/26] net/ipv4: switch ip_mroute_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 15/26] net/ipv4: merge ip_options_get and ip_options_get_from_user · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 19/26] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
Re: [PATCH 19/26] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t · Ido Schimmel <hidden> · 2020-07-27
Re: [PATCH 19/26] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-27
Re: [PATCH 19/26] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t · Ido Schimmel <hidden> · 2020-07-27
Re: [PATCH 19/26] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-27
Re: [PATCH 19/26] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t · Ido Schimmel <hidden> · 2020-07-27
RE: [PATCH 19/26] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t · David Laight <hidden> · 2020-07-27
[PATCH 26/26] net: optimize the sockptr_t for unified kernel/user address spaces · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 25/26] net: pass a sockptr_t into ->setsockopt · Christoph Hellwig <hch@lst.de> · 2020-07-23
Re: [MPTCP] [PATCH 25/26] net: pass a sockptr_t into ->setsockopt · Matthieu Baerts <hidden> · 2020-07-23
Re: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt · Eric Dumazet <hidden> · 2020-08-06
Re: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt · Christoph Hellwig <hch@lst.de> · 2020-08-07
RE: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt · David Laight <hidden> · 2020-08-07
Re: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt · Eric Dumazet <hidden> · 2020-08-07
RE: [PATCH 25/26] net: pass a sockptr_t into ->setsockopt · David Laight <hidden> · 2020-08-08
[PATCH 18/26] net/ipv6: split up ipv6_flowlabel_opt · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 17/26] net/ipv6: switch ip6_mroute_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 24/26] net/tcp: switch do_tcp_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 16/26] net/ipv4: switch do_ip_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 22/26] net/udp: switch udp_lib_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 23/26] net/tcp: switch ->md5_parse to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 21/26] net/ipv6: switch do_ipv6_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 20/26] net/ipv6: factor out a ipv6_set_opt_hdr helper · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 13/26] bpfilter: switch bpfilter_ip_set_sockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
RE: [PATCH 13/26] bpfilter: switch bpfilter_ip_set_sockopt to sockptr_t · David Laight <hidden> · 2020-07-23
Re: [PATCH 13/26] bpfilter: switch bpfilter_ip_set_sockopt to sockptr_t · 'Christoph Hellwig' <hch@lst.de> · 2020-07-23
[PATCH 11/26] netfilter: switch xt_copy_counters to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
Re: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · "Jason A. Donenfeld" <Jason@zx2c4.com> · 2020-07-27
Re: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-27
Re: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · "Jason A. Donenfeld" <Jason@zx2c4.com> · 2020-07-27
Re: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-27
RE: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · David Laight <hidden> · 2020-07-28
Re: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · "Jason A. Donenfeld" <Jason@zx2c4.com> · 2020-07-28
Re: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-27
Re: [PATCH 12/26] netfilter: switch nf_setsockopt to sockptr_t · "Jason A. Donenfeld" <Jason@zx2c4.com> · 2020-07-27
[PATCH 09/26] net/xfrm: switch xfrm_user_policy to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 01/26] bpfilter: fix up a sparse annotation · Christoph Hellwig <hch@lst.de> · 2020-07-23
Re: [PATCH 01/26] bpfilter: fix up a sparse annotation · Luc Van Oostenryck <hidden> · 2020-07-23
[PATCH 08/26] net: switch sock_set_timeout to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
Re: [MPTCP] [PATCH 08/26] net: switch sock_set_timeout to sockptr_t · Matthieu Baerts <hidden> · 2020-07-23
[PATCH 07/26] net: switch sock_set_timeout to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 05/26] net: switch copy_bpf_fprog_from_user to sockptr_t · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 04/26] net: add a new sockptr_t type · Christoph Hellwig <hch@lst.de> · 2020-07-23
Re: [PATCH 04/26] net: add a new sockptr_t type · Jan Engelhardt <hidden> · 2020-07-23
Re: [PATCH 04/26] net: add a new sockptr_t type · Eric Dumazet <edumazet@google.com> · 2020-07-23
Re: [PATCH 04/26] net: add a new sockptr_t type · Christoph Hellwig <hch@lst.de> · 2020-07-23
[PATCH 03/26] bpfilter: reject kernel addresses · Christoph Hellwig <hch@lst.de> · 2020-07-23
RE: [PATCH 03/26] bpfilter: reject kernel addresses · David Laight <hidden> · 2020-07-23
Re: [PATCH 03/26] bpfilter: reject kernel addresses · 'Christoph Hellwig' <hch@lst.de> · 2020-07-23
RE: [PATCH 03/26] bpfilter: reject kernel addresses · David Laight <hidden> · 2020-07-23
Re: get rid of the address_space override in setsockopt v2 · David Miller <davem@davemloft.net> · 2020-07-24
Re: get rid of the address_space override in setsockopt v2 · Christoph Hellwig <hch@lst.de> · 2020-07-26
Re: get rid of the address_space override in setsockopt v2 · David Miller <davem@davemloft.net> · 2020-07-26
RE: get rid of the address_space override in setsockopt v2 · David Laight <hidden> · 2020-07-27
Re: get rid of the address_space override in setsockopt v2 · Al Viro <viro@zeniv.linux.org.uk> · 2020-07-27
RE: get rid of the address_space override in setsockopt v2 · David Laight <hidden> · 2020-07-27

From: Eric Dumazet <hidden>
Date: 2020-08-07 18:29:30
Also in: bpf, bridge, linux-bluetooth, linux-can, linux-crypto, linux-hams, linux-s390, linux-sctp, lkml, lvs-devel, mptcp, netfilter-devel


On 8/7/20 2:18 AM, David Laight wrote:

From: Eric Dumazet

quoted

Sent: 06 August 2020 23:21

On 7/22/20 11:09 PM, Christoph Hellwig wrote:

quoted

Rework the remaining setsockopt code to pass a sockptr_t instead of a
plain user pointer.  This removes the last remaining set_fs(KERNEL_DS)
outside of architecture specific code.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: Stefan Schmidt <stefan@datenfreihafen.org> [ieee802154]
---

...

quoted

diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 594e01ad670aa6..874f01cd7aec42 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c

@@ -972,13 +972,13 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
 }

...

quoted

 static int do_rawv6_setsockopt(struct sock *sk, int level, int optname,
-			    char __user *optval, unsigned int optlen)
+			       sockptr_t optval, unsigned int optlen)
 {
 	struct raw6_sock *rp = raw6_sk(sk);
 	int val;

-	if (get_user(val, (int __user *)optval))
+	if (copy_from_sockptr(&val, optval, sizeof(val)))
 		return -EFAULT;

converting get_user(...)   to  copy_from_sockptr(...) really assumed the optlen
has been validated to be >= sizeof(int) earlier.

Which is not always the case, for example here.

User application can fool us passing optlen=0, and a user pointer of exactly TASK_SIZE-1

Won't the user pointer force copy_from_sockptr() to call
copy_from_user() which will then do access_ok() on the entire
range and so return -EFAULT.

The only problems arise if the kernel code adds an offset to the
user address.
And the later patch added an offset to the copy functions.

I dunno, I definitely got the following syzbot crash 

No repro found by syzbot yet, but I suspect a 32bit binary program
did :

setsockopt(fd, 0x29, 0x24, 0xffffffffffffffff, 0x0)


BUG: KASAN: wild-memory-access in memcpy include/linux/string.h:406 [inline]
BUG: KASAN: wild-memory-access in copy_from_sockptr_offset include/linux/sockptr.h:71 [inline]
BUG: KASAN: wild-memory-access in copy_from_sockptr include/linux/sockptr.h:77 [inline]
BUG: KASAN: wild-memory-access in do_rawv6_setsockopt net/ipv6/raw.c:1023 [inline]
BUG: KASAN: wild-memory-access in rawv6_setsockopt+0x1a1/0x6f0 net/ipv6/raw.c:1084
Read of size 4 at addr 00000000ffffffff by task syz-executor.0/28251

CPU: 3 PID: 28251 Comm: syz-executor.0 Not tainted 5.8.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 __kasan_report mm/kasan/report.c:517 [inline]
 kasan_report.cold+0x5/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
 memcpy+0x20/0x60 mm/kasan/common.c:105
 memcpy include/linux/string.h:406 [inline]
 copy_from_sockptr_offset include/linux/sockptr.h:71 [inline]
 copy_from_sockptr include/linux/sockptr.h:77 [inline]
 do_rawv6_setsockopt net/ipv6/raw.c:1023 [inline]
 rawv6_setsockopt+0x1a1/0x6f0 net/ipv6/raw.c:1084
 __sys_setsockopt+0x2ad/0x6d0 net/socket.c:2138
 __do_sys_setsockopt net/socket.c:2149 [inline]
 __se_sys_setsockopt net/socket.c:2146 [inline]
 __ia32_sys_setsockopt+0xb9/0x150 net/socket.c:2146
 do_syscall_32_irqs_on arch/x86/entry/common.c:84 [inline]
 __do_fast_syscall_32+0x57/0x80 arch/x86/entry/common.c:126
 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
RIP: 0023:0xf7f22569
Code: c4 01 10 03 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f551c0bc EFLAGS: 00000296 ORIG_RAX: 000000000000016e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000029
RDX: 0000000000000024 RSI: 00000000ffffffff RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
==================================================================

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help