From: Kees Cook <kees@kernel.org>
To: Jakub Kicinski <kuba@kernel.org>
Cc: Kees Cook <kees@kernel.org>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
John Fastabend <john.fastabend@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Kuniyuki Iwashima <kuniyu@google.com>,
Willem de Bruijn <willemb@google.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
bpf@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH v2 09/10] bpf: Add size validation to bpf_sock_addr_set_sun_path()
Date: Tue, 14 Oct 2025 15:43:31 -0700 [thread overview]
Message-ID: <20251014224334.2344521-9-kees@kernel.org> (raw)
In-Reply-To: <20251014223349.it.173-kees@kernel.org>
Add defensive size validation to bpf_sock_addr_set_sun_path() before
writing to the sockaddr buffer. While the underlying buffer is guaranteed
to be sockaddr_storage (128 bytes) from the bind() syscall path, the
function should validate that "sa_kern->uaddrlen" is sufficient for the
sockaddr_un structure being written.
The validation checks that the available buffer size ("sa_kern->uaddrlen")
can accommodate both the sockaddr_un header and the requested path length
before performing the memcpy() operation.
Signed-off-by: Kees Cook <kees@kernel.org>
---
net/core/filter.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index b96b5ffc7eb3..fa6c5baf0bf3 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -12089,6 +12089,7 @@ __bpf_kfunc int bpf_sock_addr_set_sun_path(struct bpf_sock_addr_kern *sa_kern,
const u8 *sun_path, u32 sun_path__sz)
{
struct sockaddr_un *un;
+ size_t required_size;
if (sa_kern->sk->sk_family != AF_UNIX)
return -EINVAL;
@@ -12099,9 +12100,14 @@ __bpf_kfunc int bpf_sock_addr_set_sun_path(struct bpf_sock_addr_kern *sa_kern,
if (sun_path__sz == 0 || sun_path__sz > UNIX_PATH_MAX)
return -EINVAL;
+ /* Validate that the buffer is large enough for sockaddr_un + path */
+ required_size = offsetof(struct sockaddr_un, sun_path) + sun_path__sz;
+ if (sa_kern->uaddrlen < required_size)
+ return -EINVAL;
+
un = (struct sockaddr_un *)sa_kern->uaddr;
memcpy(un->sun_path, sun_path, sun_path__sz);
- sa_kern->uaddrlen = offsetof(struct sockaddr_un, sun_path) + sun_path__sz;
+ sa_kern->uaddrlen = required_size;
return 0;
}
--
2.34.1
next prev parent reply other threads:[~2025-10-14 22:43 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-14 22:43 [PATCH v2 00/10] net: Introduce struct sockaddr_unspec Kees Cook
2025-10-14 22:43 ` [PATCH v2 01/10] net: Add struct sockaddr_unspec for sockaddr of unknown length Kees Cook
2025-10-14 22:43 ` [PATCH v2 02/10] net/l2tp: Add missing sa_family validation in pppol2tp_sockaddr_get_info Kees Cook
2025-10-14 22:43 ` [PATCH v2 03/10] net: Convert proto_ops bind() callbacks to use sockaddr_unspec Kees Cook
2025-10-15 12:15 ` Simon Horman
2025-10-20 18:12 ` Kees Cook
2025-10-14 22:43 ` [PATCH v2 04/10] net: Convert proto_ops connect() " Kees Cook
2025-10-14 22:43 ` [PATCH v2 05/10] net: Remove struct sockaddr from net.h Kees Cook
2025-10-14 22:43 ` [PATCH v2 06/10] net: Convert proto callbacks from sockaddr to sockaddr_unspec Kees Cook
2025-10-14 22:43 ` [PATCH v2 07/10] bpf: Convert cgroup sockaddr filters to use sockaddr_unspec consistently Kees Cook
2025-10-14 22:43 ` [PATCH v2 08/10] bpf: Convert bpf_sock_addr_kern "uaddr" to sockaddr_unspec Kees Cook
2025-10-14 22:43 ` Kees Cook [this message]
2025-10-14 22:43 ` [PATCH v2 10/10] net: Convert struct sockaddr to fixed-size "sa_data[14]" Kees Cook
[not found] ` <2095031a79fdd5a7765b9e7a0a052fb2b48895c8794a170e567273d2614da9fd@mail.kernel.org>
2025-10-14 23:56 ` [PATCH v2 00/10] net: Introduce struct sockaddr_unspec Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251014224334.2344521-9-kees@kernel.org \
--to=kees@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gustavo@embeddedor.com \
--cc=horms@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox