From mboxrd@z Thu Jan 1 00:00:00 1970 From: Laura Abbott Subject: Re: [PATCH 27/38] sctp: Copy struct sctp_sock.autoclose to userspace using put_user() Date: Thu, 18 Jan 2018 13:31:42 -0800 Message-ID: <19a7add8-adaf-4ad4-6ae3-4a62967656b9@redhat.com> References: <1515636190-24061-1-git-send-email-keescook@chromium.org> <1515636190-24061-28-git-send-email-keescook@chromium.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1515636190-24061-28-git-send-email-keescook@chromium.org> Content-Language: en-US Sender: owner-linux-mm@kvack.org To: Kees Cook , linux-kernel@vger.kernel.org Cc: David Windsor , Vlad Yasevich , Neil Horman , "David S. Miller" , linux-sctp@vger.kernel.org, netdev@vger.kernel.org, Linus Torvalds , Alexander Viro , Andrew Morton , Andy Lutomirski , Christoph Hellwig , Christoph Lameter , Mark Rutland , "Martin K. Petersen" , Paolo Bonzini , Christian Borntraeger , Christoffer Dall , Dave Kleikamp , Jan Kara , Luis de Bethencourt , Marc Zyngier , Rik van Riel , Matthew Garrett linu List-Id: linux-arch.vger.kernel.org On 01/10/2018 06:02 PM, Kees Cook wrote: > From: David Windsor > > The autoclose field can be copied with put_user(), so there is no need to > use copy_to_user(). In both cases, hardened usercopy is being bypassed > since the size is constant, and not open to runtime manipulation. > > This patch is verbatim from Brad Spengler/PaX Team's PAX_USERCOPY > whitelisting code in the last public patch of grsecurity/PaX based on my > understanding of the code. Changes or omissions from the original code are > mine and don't reflect the original grsecurity/PaX code. > Just tried a quick rebase and it looks like this conflicts with c76f97c99ae6 ("sctp: make use of pre-calculated len") I don't think we can use put_user if we're copying via the full len? Thanks, Laura > Signed-off-by: David Windsor > [kees: adjust commit log] > Cc: Vlad Yasevich > Cc: Neil Horman > Cc: "David S. Miller" > Cc: linux-sctp@vger.kernel.org > Cc: netdev@vger.kernel.org > Signed-off-by: Kees Cook > --- > net/sctp/socket.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/sctp/socket.c b/net/sctp/socket.c > index efbc8f52c531..15491491ec88 100644 > --- a/net/sctp/socket.c > +++ b/net/sctp/socket.c > @@ -5011,7 +5011,7 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv > len = sizeof(int); > if (put_user(len, optlen)) > return -EFAULT; > - if (copy_to_user(optval, &sctp_sk(sk)->autoclose, sizeof(int))) > + if (put_user(sctp_sk(sk)->autoclose, (int __user *)optval)) > return -EFAULT; > return 0; > } > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ot0-f196.google.com ([74.125.82.196]:35428 "EHLO mail-ot0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755163AbeARVbw (ORCPT ); Thu, 18 Jan 2018 16:31:52 -0500 Received: by mail-ot0-f196.google.com with SMTP id 53so21423579otj.2 for ; Thu, 18 Jan 2018 13:31:52 -0800 (PST) Subject: Re: [PATCH 27/38] sctp: Copy struct sctp_sock.autoclose to userspace using put_user() References: <1515636190-24061-1-git-send-email-keescook@chromium.org> <1515636190-24061-28-git-send-email-keescook@chromium.org> From: Laura Abbott Message-ID: <19a7add8-adaf-4ad4-6ae3-4a62967656b9@redhat.com> Date: Thu, 18 Jan 2018 13:31:42 -0800 MIME-Version: 1.0 In-Reply-To: <1515636190-24061-28-git-send-email-keescook@chromium.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-arch-owner@vger.kernel.org List-ID: To: Kees Cook , linux-kernel@vger.kernel.org Cc: David Windsor , Vlad Yasevich , Neil Horman , "David S. Miller" , linux-sctp@vger.kernel.org, netdev@vger.kernel.org, Linus Torvalds , Alexander Viro , Andrew Morton , Andy Lutomirski , Christoph Hellwig , Christoph Lameter , Mark Rutland , "Martin K. Petersen" , Paolo Bonzini , Christian Borntraeger , Christoffer Dall , Dave Kleikamp , Jan Kara , Luis de Bethencourt , Marc Zyngier , Rik van Riel , Matthew Garrett , linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com Message-ID: <20180118213142.0xKJeRrMbaZ4yWII8ZqtWEmScZS7lwf3yTE_GkrwRFg@z> On 01/10/2018 06:02 PM, Kees Cook wrote: > From: David Windsor > > The autoclose field can be copied with put_user(), so there is no need to > use copy_to_user(). In both cases, hardened usercopy is being bypassed > since the size is constant, and not open to runtime manipulation. > > This patch is verbatim from Brad Spengler/PaX Team's PAX_USERCOPY > whitelisting code in the last public patch of grsecurity/PaX based on my > understanding of the code. Changes or omissions from the original code are > mine and don't reflect the original grsecurity/PaX code. > Just tried a quick rebase and it looks like this conflicts with c76f97c99ae6 ("sctp: make use of pre-calculated len") I don't think we can use put_user if we're copying via the full len? Thanks, Laura > Signed-off-by: David Windsor > [kees: adjust commit log] > Cc: Vlad Yasevich > Cc: Neil Horman > Cc: "David S. Miller" > Cc: linux-sctp@vger.kernel.org > Cc: netdev@vger.kernel.org > Signed-off-by: Kees Cook > --- > net/sctp/socket.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/sctp/socket.c b/net/sctp/socket.c > index efbc8f52c531..15491491ec88 100644 > --- a/net/sctp/socket.c > +++ b/net/sctp/socket.c > @@ -5011,7 +5011,7 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv > len = sizeof(int); > if (put_user(len, optlen)) > return -EFAULT; > - if (copy_to_user(optval, &sctp_sk(sk)->autoclose, sizeof(int))) > + if (put_user(sctp_sk(sk)->autoclose, (int __user *)optval)) > return -EFAULT; > return 0; > } >