From: Vlad Yasevich <vyasevich@gmail.com>
To: Guenter Roeck <linux@roeck-us.net>
Cc: Neil Horman <nhorman@tuxdriver.com>,
netdev@vger.kernel.org, linux-sctp@vger.kernel.org,
Sridhar Samudrala <sri@us.ibm.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH] net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS control message
Date: Wed, 27 Feb 2013 20:37:05 +0000 [thread overview]
Message-ID: <512E6E71.2080007@gmail.com> (raw)
In-Reply-To: <20130227202255.GA31830@roeck-us.net>
On 02/27/2013 03:22 PM, Guenter Roeck wrote:
> On Wed, Feb 27, 2013 at 03:09:31PM -0500, Neil Horman wrote:
>> On Wed, Feb 27, 2013 at 11:43:51AM -0800, Guenter Roeck wrote:
>>> Building sctp may fail with:
>>>
>>> In function ‘copy_from_user’,
>>> inlined from ‘sctp_getsockopt_assoc_stats’ at
>>> net/sctp/socket.c:5656:20:
>>> arch/x86/include/asm/uaccess_32.h:211:26: error: call to
>>> ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
>>> buffer size is not provably correct
>>>
>>> if built with W=1 due to a missing parameter size validation.
>>>
>>> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
>>> ---
>>> net/sctp/socket.c | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
>>> index cedd9bf..0a5f2bf 100644
>>> --- a/net/sctp/socket.c
>>> +++ b/net/sctp/socket.c
>>> @@ -5652,6 +5652,8 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
>>> /* User must provide at least the assoc id */
>>> if (len < sizeof(sctp_assoc_t))
>>> return -EINVAL;
>>> + if (len > sizeof(struct sctp_assoc_stats))
>>> + len = sizeof(struct sctp_assoc_stats);
>>>
>>> if (copy_from_user(&sas, optval, len))
>>> return -EFAULT;
>>> --
>>> 1.7.9.7
>>>
>>>
>>
>> Theres more than that going on here. This will fix the warning, but the
>> function is written such that, if you pass in a size that is greater than the
>> size of a struct sctp_association, but less than a struct sctp_assoc_stats. I'm
>> not sure that a partial stat struct is really that useful to people. What if
>> you were to check for max(struct sctp_association, struct sctp_assoc_stats) as
>> your minimum length check, then just did a copy_from_user of that length. It
>> would save you having to compute two lengths separately, since you could then
>> just do a copy_to_user(...,sizeof(struct sctp_assoc_stats), at the bottom of
>> that function.
>>
> Yes, but that would require input from someone who knows the code. All I am trying
> to accomplish is to ensure that copy_from_user does not overwrite the stack.
>
The function already has the following in it:
/* Allow the struct to grow and fill in as much as possible */
len = min_t(size_t, len, sizeof(sas));
It would be better to move that up to before the copy_from_user.
The alternative would be to do:
if (copy_from_user(&sas, optval, sizeof(sctp_assoc_t))
since all we are after here is an association id and nothing else.
-vlad
> Thanks,
> Guenter
>
WARNING: multiple messages have this Message-ID (diff)
From: Vlad Yasevich <vyasevich@gmail.com>
To: Guenter Roeck <linux@roeck-us.net>
Cc: Neil Horman <nhorman@tuxdriver.com>,
netdev@vger.kernel.org, linux-sctp@vger.kernel.org,
Sridhar Samudrala <sri@us.ibm.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH] net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS control message
Date: Wed, 27 Feb 2013 15:37:05 -0500 [thread overview]
Message-ID: <512E6E71.2080007@gmail.com> (raw)
In-Reply-To: <20130227202255.GA31830@roeck-us.net>
On 02/27/2013 03:22 PM, Guenter Roeck wrote:
> On Wed, Feb 27, 2013 at 03:09:31PM -0500, Neil Horman wrote:
>> On Wed, Feb 27, 2013 at 11:43:51AM -0800, Guenter Roeck wrote:
>>> Building sctp may fail with:
>>>
>>> In function ‘copy_from_user’,
>>> inlined from ‘sctp_getsockopt_assoc_stats’ at
>>> net/sctp/socket.c:5656:20:
>>> arch/x86/include/asm/uaccess_32.h:211:26: error: call to
>>> ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
>>> buffer size is not provably correct
>>>
>>> if built with W=1 due to a missing parameter size validation.
>>>
>>> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
>>> ---
>>> net/sctp/socket.c | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
>>> index cedd9bf..0a5f2bf 100644
>>> --- a/net/sctp/socket.c
>>> +++ b/net/sctp/socket.c
>>> @@ -5652,6 +5652,8 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
>>> /* User must provide at least the assoc id */
>>> if (len < sizeof(sctp_assoc_t))
>>> return -EINVAL;
>>> + if (len > sizeof(struct sctp_assoc_stats))
>>> + len = sizeof(struct sctp_assoc_stats);
>>>
>>> if (copy_from_user(&sas, optval, len))
>>> return -EFAULT;
>>> --
>>> 1.7.9.7
>>>
>>>
>>
>> Theres more than that going on here. This will fix the warning, but the
>> function is written such that, if you pass in a size that is greater than the
>> size of a struct sctp_association, but less than a struct sctp_assoc_stats. I'm
>> not sure that a partial stat struct is really that useful to people. What if
>> you were to check for max(struct sctp_association, struct sctp_assoc_stats) as
>> your minimum length check, then just did a copy_from_user of that length. It
>> would save you having to compute two lengths separately, since you could then
>> just do a copy_to_user(...,sizeof(struct sctp_assoc_stats), at the bottom of
>> that function.
>>
> Yes, but that would require input from someone who knows the code. All I am trying
> to accomplish is to ensure that copy_from_user does not overwrite the stack.
>
The function already has the following in it:
/* Allow the struct to grow and fill in as much as possible */
len = min_t(size_t, len, sizeof(sas));
It would be better to move that up to before the copy_from_user.
The alternative would be to do:
if (copy_from_user(&sas, optval, sizeof(sctp_assoc_t))
since all we are after here is an association id and nothing else.
-vlad
> Thanks,
> Guenter
>
next prev parent reply other threads:[~2013-02-27 20:37 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-27 19:43 [PATCH] net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS control message Guenter Roeck
2013-02-27 19:43 ` Guenter Roeck
2013-02-27 20:09 ` Neil Horman
2013-02-27 20:09 ` Neil Horman
2013-02-27 20:22 ` David Miller
2013-02-27 20:22 ` David Miller
2013-02-27 20:22 ` Guenter Roeck
2013-02-27 20:22 ` Guenter Roeck
2013-02-27 20:37 ` Vlad Yasevich [this message]
2013-02-27 20:37 ` Vlad Yasevich
2013-02-27 20:43 ` Neil Horman
2013-02-27 20:43 ` Neil Horman
2013-02-27 20:33 ` David Miller
2013-02-27 20:33 ` David Miller
2013-02-27 20:58 ` Vlad Yasevich
2013-02-27 20:58 ` Vlad Yasevich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=512E6E71.2080007@gmail.com \
--to=vyasevich@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-sctp@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=sri@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.