From: Kees Cook <keescook@chromium.org>
To: Kuniyuki Iwashima <kuniyu@amazon.com>
Cc: davem@davemloft.net, edumazet@google.com, horms@kernel.org,
kuba@kernel.org, kuni1840@gmail.com, netdev@vger.kernel.org,
pabeni@redhat.com, slyich@gmail.com,
willemdebruijn.kernel@gmail.com
Subject: Re: [PATCH v1 net] af_packet: Fix fortified memcpy() without flex array.
Date: Mon, 9 Oct 2023 10:21:29 -0700 [thread overview]
Message-ID: <202310091020.18B4F8D27@keescook> (raw)
In-Reply-To: <20231009171228.89827-1-kuniyu@amazon.com>
On Mon, Oct 09, 2023 at 10:12:28AM -0700, Kuniyuki Iwashima wrote:
> From: Kees Cook <keescook@chromium.org>
> Date: Mon, 9 Oct 2023 09:01:34 -0700
> > On Mon, Oct 09, 2023 at 08:31:52AM -0700, Kuniyuki Iwashima wrote:
> > > Sergei Trofimovich reported a regression [0] caused by commit a0ade8404c3b
> > > ("af_packet: Fix warning of fortified memcpy() in packet_getname().").
> > >
> > > It introduced a flex array sll_addr_flex in struct sockaddr_ll as a
> > > union-ed member with sll_addr to work around the fortified memcpy() check.
> > >
> > > However, a userspace program uses a struct that has struct sockaddr_ll in
> > > the middle, where a flex array is illegal to exist.
> > >
> > > include/linux/if_packet.h:24:17: error: flexible array member 'sockaddr_ll::<unnamed union>::<unnamed struct>::sll_addr_flex' not at end of 'struct packet_info_t'
> > > 24 | __DECLARE_FLEX_ARRAY(unsigned char, sll_addr_flex);
> > > | ^~~~~~~~~~~~~~~~~~~~
> > > To fix the regression, let's go back to the first attempt [1] telling
> > > memcpy() the actual size of the array.
> > >
> > > Reported-by: Sergei Trofimovich <slyich@gmail.com>
> > > Closes: https://github.com/NixOS/nixpkgs/pull/252587#issuecomment-1741733002 [0]
> >
> > Eww. That's a buggy definition -- it could get overflowed.
>
> Only if they pass sizeof(struct sockaddr_storage) to getsockname().
>
>
> >
> > But okay, we don't break userspace.
> >
> > > Link: https://lore.kernel.org/netdev/20230720004410.87588-3-kuniyu@amazon.com/ [1]
> > > Fixes: a0ade8404c3b ("af_packet: Fix warning of fortified memcpy() in packet_getname().")
> > > Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
> > > ---
> > > include/uapi/linux/if_packet.h | 6 +-----
> > > net/packet/af_packet.c | 7 ++++++-
> > > 2 files changed, 7 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/include/uapi/linux/if_packet.h b/include/uapi/linux/if_packet.h
> > > index 4d0ad22f83b5..9efc42382fdb 100644
> > > --- a/include/uapi/linux/if_packet.h
> > > +++ b/include/uapi/linux/if_packet.h
> > > @@ -18,11 +18,7 @@ struct sockaddr_ll {
> > > unsigned short sll_hatype;
> > > unsigned char sll_pkttype;
> > > unsigned char sll_halen;
> > > - union {
> > > - unsigned char sll_addr[8];
> > > - /* Actual length is in sll_halen. */
> > > - __DECLARE_FLEX_ARRAY(unsigned char, sll_addr_flex);
> > > - };
> > > + unsigned char sll_addr[8];
> > > };
> >
> > Yup, we need to do at least this.
> >
> > >
> > > /* Packet types */
> > > diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
> > > index 8f97648d652f..a84e00b5904b 100644
> > > --- a/net/packet/af_packet.c
> > > +++ b/net/packet/af_packet.c
> > > @@ -3607,7 +3607,12 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr,
> > > if (dev) {
> > > sll->sll_hatype = dev->type;
> > > sll->sll_halen = dev->addr_len;
> > > - memcpy(sll->sll_addr_flex, dev->dev_addr, dev->addr_len);
> > > +
> > > + /* Let __fortify_memcpy_chk() know the actual buffer size. */
> > > + memcpy(((struct sockaddr_storage *)sll)->__data +
> > > + offsetof(struct sockaddr_ll, sll_addr) -
> > > + offsetofend(struct sockaddr_ll, sll_family),
> > > + dev->dev_addr, dev->addr_len);
> > > } else {
> > > sll->sll_hatype = 0; /* Bad: we have no ARPHRD_UNSPEC */
> > > sll->sll_halen = 0;
> >
> > I still think this is a mistake. We're papering over so many lies to the
> > compiler. :P If "uaddr" is actually "struct sockaddr_storage", then we
> > should update the callers...
>
> We could update all callers to pass sockaddr_storage but it seems too much
> for net.git.. :/ I think the conversion should be done later for net-next.
>
> $ grep -rn -E "\.getname.*?=" | cut -f 2 -d"=" | sort | uniq | wc -l
> 40
Agreed -- it's something to do going forward. Your fix is likely the
right approach to take to undo the UAPI change.
-Kees
--
Kees Cook
next prev parent reply other threads:[~2023-10-09 17:21 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-09 15:31 [PATCH v1 net] af_packet: Fix fortified memcpy() without flex array Kuniyuki Iwashima
2023-10-09 16:01 ` Kees Cook
2023-10-09 17:12 ` Kuniyuki Iwashima
2023-10-09 17:21 ` Kees Cook [this message]
2023-10-12 7:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202310091020.18B4F8D27@keescook \
--to=keescook@chromium.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=kuni1840@gmail.com \
--cc=kuniyu@amazon.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=slyich@gmail.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.