From: Simon Horman <horms@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org, David Ahern <dsahern@kernel.org>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
Abel Wu <wuyun.abel@bytedance.com>,
Breno Leitao <leitao@debian.org>,
Alexander Mikhalitsyn <alexander@mihalicyn.com>,
David Howells <dhowells@redhat.com>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v3] sock: Use unsafe_memcpy() for sock_copy()
Date: Tue, 5 Mar 2024 13:23:26 +0000 [thread overview]
Message-ID: <20240305132326.GE2357@kernel.org> (raw)
In-Reply-To: <20240304212928.make.772-kees@kernel.org>
On Mon, Mar 04, 2024 at 01:29:31PM -0800, Kees Cook wrote:
> While testing for places where zero-sized destinations were still showing
> up in the kernel, sock_copy() and inet_reqsk_clone() were found, which
> are using very specific memcpy() offsets for both avoiding a portion of
> struct sock, and copying beyond the end of it (since struct sock is really
> just a common header before the protocol-specific allocation). Instead
> of trying to unravel this historical lack of container_of(), just switch
> to unsafe_memcpy(), since that's effectively what was happening already
> (memcpy() wasn't checking 0-sized destinations while the code base was
> being converted away from fake flexible arrays).
>
> Avoid the following false positive warning with future changes to
> CONFIG_FORTIFY_SOURCE:
>
> memcpy: detected field-spanning write (size 3068) of destination "&nsk->__sk_common.skc_dontcopy_end" at net/core/sock.c:2057 (size 0)
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: netdev@vger.kernel.org
> v3: fix inet_reqsk_clone() comment
> v2: https://lore.kernel.org/lkml/20240216232220.it.450-kees@kernel.org
> v1: https://lore.kernel.org/lkml/20240216204423.work.066-kees@kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
next prev parent reply other threads:[~2024-03-05 13:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-04 21:29 [PATCH v3] sock: Use unsafe_memcpy() for sock_copy() Kees Cook
2024-03-05 13:23 ` Simon Horman [this message]
2024-03-06 3:10 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240305132326.GE2357@kernel.org \
--to=horms@kernel.org \
--cc=alexander@mihalicyn.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=keescook@chromium.org \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=leitao@debian.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=wuyun.abel@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.