From: 'Marcelo Ricardo Leitner' <marcelo.leitner@gmail.com>
To: David Laight <David.Laight@aculab.com>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-sctp@vger.kernel.org" <linux-sctp@vger.kernel.org>,
Neil Horman <nhorman@tuxdriver.com>
Subject: Re: [PATCH net-next] sctp: Pull the user copies out of the individual sockopt functions.
Date: Thu, 21 May 2020 00:17:25 +0000 [thread overview]
Message-ID: <20200521001725.GW2491@localhost.localdomain> (raw)
In-Reply-To: <fd94b5e41a7c4edc8f743c56a04ed2c9@AcuMS.aculab.com>
On Wed, May 20, 2020 at 03:08:13PM +0000, David Laight wrote:
...
> Only SCTP_SOCKOPT_CONNECTX3 contains an indirect pointer.
> It is also the only getsockopt() that wants to return a buffer
> and an error code. It is also definitely abusing getsockopt().
...
> @@ -1375,11 +1350,11 @@ struct compat_sctp_getaddrs_old {
> #endif
>
> static int sctp_getsockopt_connectx3(struct sock *sk, int len,
> - char __user *optval,
> - int __user *optlen)
> + struct sctp_getaddrs_old *param,
> + int *optlen)
> {
> - struct sctp_getaddrs_old param;
> sctp_assoc_t assoc_id = 0;
> + struct sockaddr *addrs;
> int err = 0;
>
> #ifdef CONFIG_COMPAT
> @@ -1388,29 +1363,28 @@ static int sctp_getsockopt_connectx3(struct sock *sk, int len,
>
> if (len < sizeof(param32))
> return -EINVAL;
> - if (copy_from_user(¶m32, optval, sizeof(param32)))
> - return -EFAULT;
> + param32 = *(struct compat_sctp_getaddrs_old *)param;
>
> - param.assoc_id = param32.assoc_id;
> - param.addr_num = param32.addr_num;
> - param.addrs = compat_ptr(param32.addrs);
> + param->assoc_id = param32.assoc_id;
> + param->addr_num = param32.addr_num;
> + param->addrs = compat_ptr(param32.addrs);
> } else
> #endif
> {
> - if (len < sizeof(param))
> + if (len < sizeof(*param))
> return -EINVAL;
> - if (copy_from_user(¶m, optval, sizeof(param)))
> - return -EFAULT;
> }
>
> - err = __sctp_setsockopt_connectx(sk, (struct sockaddr __user *)
> - param.addrs, param.addr_num,
> + addrs = memdup_user(param->addrs, param->addr_num);
I'm staring at this for a while now but I don't get this memdup_user.
AFAICT, params->addrs is not __user anymore here, because
sctp_getsockopt() copied the whole thing already, no?
Also weird because it is being called from kernel_sctp_getsockopt(),
which now has no knowledge of __user buffers.
Maybe I didn't get something from the patch description.
> + if (IS_ERR(addrs))
> + return PTR_ERR(addrs);
> +
> + err = __sctp_setsockopt_connectx(sk, addrs, param->addr_num,
> &assoc_id);
> + kfree(addrs);
> if (err = 0 || err = -EINPROGRESS) {
> - if (copy_to_user(optval, &assoc_id, sizeof(assoc_id)))
> - return -EFAULT;
> - if (put_user(sizeof(assoc_id), optlen))
> - return -EFAULT;
> + *(sctp_assoc_t *)param = assoc_id;
> + *optlen = sizeof(assoc_id);
> }
>
> return err;
WARNING: multiple messages have this Message-ID (diff)
From: 'Marcelo Ricardo Leitner' <marcelo.leitner@gmail.com>
To: David Laight <David.Laight@aculab.com>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-sctp@vger.kernel.org" <linux-sctp@vger.kernel.org>,
Neil Horman <nhorman@tuxdriver.com>
Subject: Re: [PATCH net-next] sctp: Pull the user copies out of the individual sockopt functions.
Date: Wed, 20 May 2020 21:17:25 -0300 [thread overview]
Message-ID: <20200521001725.GW2491@localhost.localdomain> (raw)
In-Reply-To: <fd94b5e41a7c4edc8f743c56a04ed2c9@AcuMS.aculab.com>
On Wed, May 20, 2020 at 03:08:13PM +0000, David Laight wrote:
...
> Only SCTP_SOCKOPT_CONNECTX3 contains an indirect pointer.
> It is also the only getsockopt() that wants to return a buffer
> and an error code. It is also definitely abusing getsockopt().
...
> @@ -1375,11 +1350,11 @@ struct compat_sctp_getaddrs_old {
> #endif
>
> static int sctp_getsockopt_connectx3(struct sock *sk, int len,
> - char __user *optval,
> - int __user *optlen)
> + struct sctp_getaddrs_old *param,
> + int *optlen)
> {
> - struct sctp_getaddrs_old param;
> sctp_assoc_t assoc_id = 0;
> + struct sockaddr *addrs;
> int err = 0;
>
> #ifdef CONFIG_COMPAT
> @@ -1388,29 +1363,28 @@ static int sctp_getsockopt_connectx3(struct sock *sk, int len,
>
> if (len < sizeof(param32))
> return -EINVAL;
> - if (copy_from_user(¶m32, optval, sizeof(param32)))
> - return -EFAULT;
> + param32 = *(struct compat_sctp_getaddrs_old *)param;
>
> - param.assoc_id = param32.assoc_id;
> - param.addr_num = param32.addr_num;
> - param.addrs = compat_ptr(param32.addrs);
> + param->assoc_id = param32.assoc_id;
> + param->addr_num = param32.addr_num;
> + param->addrs = compat_ptr(param32.addrs);
> } else
> #endif
> {
> - if (len < sizeof(param))
> + if (len < sizeof(*param))
> return -EINVAL;
> - if (copy_from_user(¶m, optval, sizeof(param)))
> - return -EFAULT;
> }
>
> - err = __sctp_setsockopt_connectx(sk, (struct sockaddr __user *)
> - param.addrs, param.addr_num,
> + addrs = memdup_user(param->addrs, param->addr_num);
I'm staring at this for a while now but I don't get this memdup_user.
AFAICT, params->addrs is not __user anymore here, because
sctp_getsockopt() copied the whole thing already, no?
Also weird because it is being called from kernel_sctp_getsockopt(),
which now has no knowledge of __user buffers.
Maybe I didn't get something from the patch description.
> + if (IS_ERR(addrs))
> + return PTR_ERR(addrs);
> +
> + err = __sctp_setsockopt_connectx(sk, addrs, param->addr_num,
> &assoc_id);
> + kfree(addrs);
> if (err == 0 || err == -EINPROGRESS) {
> - if (copy_to_user(optval, &assoc_id, sizeof(assoc_id)))
> - return -EFAULT;
> - if (put_user(sizeof(assoc_id), optlen))
> - return -EFAULT;
> + *(sctp_assoc_t *)param = assoc_id;
> + *optlen = sizeof(assoc_id);
> }
>
> return err;
next prev parent reply other threads:[~2020-05-21 0:17 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-20 15:08 [PATCH net-next] sctp: Pull the user copies out of the individual sockopt functions David Laight
2020-05-20 23:33 ` kbuild test robot
2020-05-20 23:33 ` kbuild test robot
2020-05-20 23:33 ` kbuild test robot
2020-05-21 0:17 ` 'Marcelo Ricardo Leitner' [this message]
2020-05-21 0:17 ` 'Marcelo Ricardo Leitner'
2020-05-21 7:32 ` David Laight
2020-05-21 14:36 ` 'Marcelo Ricardo Leitner'
2020-05-21 14:36 ` 'Marcelo Ricardo Leitner'
2020-05-21 15:37 ` 'Marcelo Ricardo Leitner'
2020-05-21 15:37 ` 'Marcelo Ricardo Leitner'
2020-05-21 15:39 ` Christoph Hellwig
2020-05-21 15:39 ` Christoph Hellwig
2020-05-21 15:52 ` David Laight
2020-05-21 16:09 ` David Laight
2020-05-21 16:45 ` 'Marcelo Ricardo Leitner'
2020-05-21 16:45 ` 'Marcelo Ricardo Leitner'
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200521001725.GW2491@localhost.localdomain \
--to=marcelo.leitner@gmail.com \
--cc=David.Laight@aculab.com \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.