From: Vlad Yasevich <vyasevic@redhat.com>
To: David Miller <davem@davemloft.net>
Cc: linux@roeck-us.net, netdev@vger.kernel.org,
linux-sctp@vger.kernel.org, vyasevich@gmail.com, sri@us.ibm.com,
nhorman@tuxdriver.com
Subject: Re: [PATCH] net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS control message
Date: Wed, 27 Feb 2013 20:58:04 +0000 [thread overview]
Message-ID: <512E735C.10600@redhat.com> (raw)
In-Reply-To: <20130227.153344.2178498124458359369.davem@davemloft.net>
On 02/27/2013 03:33 PM, David Miller wrote:
> From: Guenter Roeck <linux@roeck-us.net>
> Date: Wed, 27 Feb 2013 11:43:51 -0800
>
>> Building sctp may fail with:
>>
>> In function ¡copy_from_user¢,
>> inlined from ¡sctp_getsockopt_assoc_stats¢ at
>> net/sctp/socket.c:5656:20:
>> arch/x86/include/asm/uaccess_32.h:211:26: error: call to
>> ¡copy_from_user_overflow¢ declared with attribute error: copy_from_user()
>> buffer size is not provably correct
>>
>> if built with W=1 due to a missing parameter size validation.
>>
>> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
>
> This change is correct, but please fix this by simply moving the:
>
> /* Allow the struct to grow and fill in as much as possible */
> len = min_t(size_t, len, sizeof(sas));
>
> line higher up in the function.
>
> And I also prefer this because:
>
> something testing sizeof(foo);
> if (copy_from_user(..., ..., sizeof(foo)))
>
> must easier to audit and validate, especially in patch form.
>
> Otherwise I have to bring the code into an editor and read the whole
> function just to make sure you got the type correct.
Right. In this particular case, we are after a very small portion of
user data (just the association id) and copying the entire structure is
rather pointless.
A nicer solution here would be to do this:
if (copy_from_user(&sas, optval, sizeof(sctp_assoc_t))
We are already guaranteed that much space and we make sure that we don't
overwrite the kernel stack.
-vlad
WARNING: multiple messages have this Message-ID (diff)
From: Vlad Yasevich <vyasevic@redhat.com>
To: David Miller <davem@davemloft.net>
Cc: linux@roeck-us.net, netdev@vger.kernel.org,
linux-sctp@vger.kernel.org, vyasevich@gmail.com, sri@us.ibm.com,
nhorman@tuxdriver.com
Subject: Re: [PATCH] net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS control message
Date: Wed, 27 Feb 2013 15:58:04 -0500 [thread overview]
Message-ID: <512E735C.10600@redhat.com> (raw)
In-Reply-To: <20130227.153344.2178498124458359369.davem@davemloft.net>
On 02/27/2013 03:33 PM, David Miller wrote:
> From: Guenter Roeck <linux@roeck-us.net>
> Date: Wed, 27 Feb 2013 11:43:51 -0800
>
>> Building sctp may fail with:
>>
>> In function ‘copy_from_user’,
>> inlined from ‘sctp_getsockopt_assoc_stats’ at
>> net/sctp/socket.c:5656:20:
>> arch/x86/include/asm/uaccess_32.h:211:26: error: call to
>> ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
>> buffer size is not provably correct
>>
>> if built with W=1 due to a missing parameter size validation.
>>
>> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
>
> This change is correct, but please fix this by simply moving the:
>
> /* Allow the struct to grow and fill in as much as possible */
> len = min_t(size_t, len, sizeof(sas));
>
> line higher up in the function.
>
> And I also prefer this because:
>
> something testing sizeof(foo);
> if (copy_from_user(..., ..., sizeof(foo)))
>
> must easier to audit and validate, especially in patch form.
>
> Otherwise I have to bring the code into an editor and read the whole
> function just to make sure you got the type correct.
Right. In this particular case, we are after a very small portion of
user data (just the association id) and copying the entire structure is
rather pointless.
A nicer solution here would be to do this:
if (copy_from_user(&sas, optval, sizeof(sctp_assoc_t))
We are already guaranteed that much space and we make sure that we don't
overwrite the kernel stack.
-vlad
next prev parent reply other threads:[~2013-02-27 20:58 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-27 19:43 [PATCH] net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS control message Guenter Roeck
2013-02-27 19:43 ` Guenter Roeck
2013-02-27 20:09 ` Neil Horman
2013-02-27 20:09 ` Neil Horman
2013-02-27 20:22 ` David Miller
2013-02-27 20:22 ` David Miller
2013-02-27 20:22 ` Guenter Roeck
2013-02-27 20:22 ` Guenter Roeck
2013-02-27 20:37 ` Vlad Yasevich
2013-02-27 20:37 ` Vlad Yasevich
2013-02-27 20:43 ` Neil Horman
2013-02-27 20:43 ` Neil Horman
2013-02-27 20:33 ` David Miller
2013-02-27 20:33 ` David Miller
2013-02-27 20:58 ` Vlad Yasevich [this message]
2013-02-27 20:58 ` Vlad Yasevich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=512E735C.10600@redhat.com \
--to=vyasevic@redhat.com \
--cc=davem@davemloft.net \
--cc=linux-sctp@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=sri@us.ibm.com \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.