[PATCH] sock filter: fix copy of filter from userspace

[PATCH] sock filter: fix copy of filter from userspace

[Stephen Hemminger]

The sk_unattached_filter_create function is passed a socket
filter structure and the copies the contents of the filter from
userspace. Sparse detected that this code was incorrectly using
memcpy when it needed to use copy_from_user instead.

The only use of sk_unattached_filter_create at present is in
the team driver.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>


--- a/net/core/filter.c	2012-10-09 10:35:03.183141638 -0700
+++ b/net/core/filter.c	2012-10-13 11:33:05.955531440 -0700
@@ -666,7 +666,9 @@ int sk_unattached_filter_create(struct s
 	fp = kmalloc(fsize + sizeof(*fp), GFP_KERNEL);
 	if (!fp)
 		return -ENOMEM;
-	memcpy(fp->insns, fprog->filter, fsize);
+
+	if (copy_from_user(fp->insns, fprog->filter, fsize))
+		return -EFAULT;
 
 	atomic_set(&fp->refcnt, 1);
 	fp->len = fprog->len;

Re: [PATCH] sock filter: fix copy of filter from userspace

[Jiri Pirko]

Sat, Oct 13, 2012 at 08:40:32PM CEST, shemminger@vyatta.com wrote:
>The sk_unattached_filter_create function is passed a socket
>filter structure and the copies the contents of the filter from
>userspace. Sparse detected that this code was incorrectly using
>memcpy when it needed to use copy_from_user instead.

Hmm. fprog->filter is in this case allocated and filled in kernel.
So memcpy is good.

Not sure how to handle this correctly. Either we remove "__user" or we
redefine "struct sock_fprog" for sk_unattached_filter_create() use.

Any thoughts?

>
>The only use of sk_unattached_filter_create at present is in
>the team driver.
>
>Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
>
>
>--- a/net/core/filter.c	2012-10-09 10:35:03.183141638 -0700
>+++ b/net/core/filter.c	2012-10-13 11:33:05.955531440 -0700
>@@ -666,7 +666,9 @@ int sk_unattached_filter_create(struct s
> 	fp = kmalloc(fsize + sizeof(*fp), GFP_KERNEL);
> 	if (!fp)
> 		return -ENOMEM;
>-	memcpy(fp->insns, fprog->filter, fsize);
>+
>+	if (copy_from_user(fp->insns, fprog->filter, fsize))
>+		return -EFAULT;
> 
> 	atomic_set(&fp->refcnt, 1);
> 	fp->len = fprog->len;
>--
>To unsubscribe from this list: send the line "unsubscribe netdev" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] sock filter: fix copy of filter from userspace

[Stephen Hemminger]

On Sat, 13 Oct 2012 21:19:49 +0200
Jiri Pirko <jiri@resnulli.us> wrote:

> Sat, Oct 13, 2012 at 08:40:32PM CEST, shemminger@vyatta.com wrote:
> >The sk_unattached_filter_create function is passed a socket
> >filter structure and the copies the contents of the filter from
> >userspace. Sparse detected that this code was incorrectly using
> >memcpy when it needed to use copy_from_user instead.
> 
> Hmm. fprog->filter is in this case allocated and filled in kernel.
> So memcpy is good.
> 
> Not sure how to handle this correctly. Either we remove "__user" or we
> redefine "struct sock_fprog" for sk_unattached_filter_create() use.
> 
> Any thoughts?

Or define a different structure for kernel usage versus userspace API.