From: Johannes Berg <johannes@sipsolutions.net>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, viro@zeniv.linux.org.uk, robert@ocallahan.org
Subject: Re: [PATCH net 0/4] various compat ioctl fixes
Date: Mon, 28 Jan 2019 22:32:30 +0100 [thread overview]
Message-ID: <149d1ddec433d7cb766c99eeb78b220b33090287.camel@sipsolutions.net> (raw)
In-Reply-To: <20190128.112256.1993605129492088954.davem@davemloft.net>
On Mon, 2019-01-28 at 11:22 -0800, David Miller wrote:
> I see some back and forth between you and Al, where do we stand at
> this point?
I don't really know. I think neither of us _likes_ this code, in
particular the whole copy_in_user() thing is quite a mess. The
copy_in_user() also means that decnet (and similar things, if they
exist, I didn't see any but didn't audit all protocols carefully) have
no way of working in compat - it's not even clear to me if that'd return
-EFAULT or just do something really stupid, and maybe even dangerous?
(Dangerous because at least on x86, compat_alloc_user_space() uses stack
space, and if we alloc 40 bytes but decnet writes up to 42 (?) then we
could overwrite some stack by that? Maybe the 16-byte alignment in
compat_alloc_user_space() saves us, but it's all very fragile. Even with
the previous patch fixed, decnet's idea of "struct ifreq" is bigger than
"struct ifreq" actually is because sockaddr_dn is bigger, if I'm
counting it right then that's 42 in total)
At the same time, fixing all this _completely_ is not very realistic, it
would require passing the ifreq size through to lots of places and
making the user copy there take the size rather than sizeof(ifreq),
obviously the very least to the method decnet uses, i.e. sock->ioctl() I
think, but clearly that affects every other protocol too.
This was what my previous patch had done partially for the directly
handled ioctls (the revert of which is the first patch in this series).
> From what I can see this looks like probably the simplest way to
> fix this in net and -stable currently.
I tend to agree, at least to fix the regression.
We can still deliberate separately if we want to fix decnet for compat
or if nobody cares now. But perhaps better decnet broken (quite
obviously and detectably) like it basically always was, than IP broken
(subtly, if your struct ends up landing at the end of a page).
Al, care to speak up about this here?
johannes
next prev parent reply other threads:[~2019-01-28 21:32 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-25 21:43 [PATCH net 0/4] various compat ioctl fixes Johannes Berg
2019-01-25 21:43 ` [PATCH net 1/4] Revert "socket: fix struct ifreq size in compat ioctl" Johannes Berg
2019-01-25 21:43 ` [PATCH net 2/4] Revert "kill dev_ifsioc()" Johannes Berg
2019-01-26 17:29 ` Al Viro
2019-01-26 17:45 ` Johannes Berg
2019-01-26 17:49 ` Johannes Berg
2019-01-26 18:53 ` Johannes Berg
2019-01-25 21:43 ` [PATCH net 3/4] net: socket: fix SIOCGIFNAME in compat Johannes Berg
2019-01-25 21:43 ` [PATCH net 4/4] net: socket: make bond ioctls go through compat_ifreq_ioctl() Johannes Berg
2019-01-28 19:22 ` [PATCH net 0/4] various compat ioctl fixes David Miller
2019-01-28 21:32 ` Johannes Berg [this message]
2019-01-30 6:19 ` David Miller
2019-01-30 15:40 ` Al Viro
2019-01-30 18:20 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=149d1ddec433d7cb766c99eeb78b220b33090287.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=robert@ocallahan.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).