From: Greg KH <gregkh@linuxfoundation.org>
To: Peter Collingbourne <pcc@google.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Colin Ian King <colin.king@canonical.com>,
Cong Wang <cong.wang@bytedance.com>,
Al Viro <viro@zeniv.linux.org.uk>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] net: don't unconditionally copy_from_user a struct ifreq for socket ioctls
Date: Thu, 26 Aug 2021 08:39:44 +0200 [thread overview]
Message-ID: <YSc3MGVllU8qSJXV@kroah.com> (raw)
In-Reply-To: <20210826012722.3210359-1-pcc@google.com>
On Wed, Aug 25, 2021 at 06:27:22PM -0700, Peter Collingbourne wrote:
> A common implementation of isatty(3) involves calling a ioctl passing
> a dummy struct argument and checking whether the syscall failed --
> bionic and glibc use TCGETS (passing a struct termios), and musl uses
> TIOCGWINSZ (passing a struct winsize). If the FD is a socket, we will
> copy sizeof(struct ifreq) bytes of data from the argument and return
> -EFAULT if that fails. The result is that the isatty implementations
> may return a non-POSIX-compliant value in errno in the case where part
> of the dummy struct argument is inaccessible, as both struct termios
> and struct winsize are smaller than struct ifreq (at least on arm64).
>
> Although there is usually enough stack space following the argument
> on the stack that this did not present a practical problem up to now,
> with MTE stack instrumentation it's more likely for the copy to fail,
> as the memory following the struct may have a different tag.
>
> Fix the problem by adding an early check for whether the ioctl is a
> valid socket ioctl, and return -ENOTTY if it isn't.
>
> Fixes: 44c02a2c3dc5 ("dev_ioctl(): move copyin/copyout to callers")
> Link: https://linux-review.googlesource.com/id/I869da6cf6daabc3e4b7b82ac979683ba05e27d4d
> Signed-off-by: Peter Collingbourne <pcc@google.com>
> Cc: <stable@vger.kernel.org> # 4.19
> ---
> include/linux/netdevice.h | 1 +
> net/core/dev_ioctl.c | 64 ++++++++++++++++++++++++++++++++-------
> net/socket.c | 6 +++-
> 3 files changed, 59 insertions(+), 12 deletions(-)
>
> diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
> index eaf5bb008aa9..481b90ef0d32 100644
> --- a/include/linux/netdevice.h
> +++ b/include/linux/netdevice.h
> @@ -4012,6 +4012,7 @@ int netdev_rx_handler_register(struct net_device *dev,
> void netdev_rx_handler_unregister(struct net_device *dev);
>
> bool dev_valid_name(const char *name);
> +bool is_dev_ioctl_cmd(unsigned int cmd);
"is_socket_ioctl_cmd()" might be a better global name here.
thanks,
greg k-h
next prev parent reply other threads:[~2021-08-26 6:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-26 1:27 [PATCH] net: don't unconditionally copy_from_user a struct ifreq for socket ioctls Peter Collingbourne
2021-08-26 6:39 ` Greg KH [this message]
2021-08-26 19:46 ` Peter Collingbourne
2021-08-26 8:12 ` David Laight
2021-08-26 19:46 ` Peter Collingbourne
2021-08-27 8:34 ` David Laight
2021-08-26 8:58 ` Arnd Bergmann
2021-08-26 19:46 ` Peter Collingbourne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YSc3MGVllU8qSJXV@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=colin.king@canonical.com \
--cc=cong.wang@bytedance.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pcc@google.com \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.