From: David Laight <David.Laight@ACULAB.COM>
To: 'Willem de Bruijn' <willemdebruijn.kernel@gmail.com>,
Kuniyuki Iwashima <kuniyu@amazon.com>
Cc: "davem@davemloft.net" <davem@davemloft.net>,
"edumazet@google.com" <edumazet@google.com>,
"gustavoars@kernel.org" <gustavoars@kernel.org>,
"keescook@chromium.org" <keescook@chromium.org>,
"kuba@kernel.org" <kuba@kernel.org>,
"kuni1840@gmail.com" <kuni1840@gmail.com>,
"kuniyu@amazon.com" <kuniyu@amazon.com>,
"leitao@debian.org" <leitao@debian.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"pabeni@redhat.com" <pabeni@redhat.com>,
"syzkaller@googlegroups.com" <syzkaller@googlegroups.com>
Subject: RE: [PATCH v1 net 2/2] af_packet: Fix warning of fortified memcpy() in packet_getname().
Date: Wed, 19 Jul 2023 21:38:44 +0000 [thread overview]
Message-ID: <c391b7352213421da9771e5479d2a6ca@AcuMS.aculab.com> (raw)
In-Reply-To: <64b856d553b5b_2842f2294f0@willemb.c.googlers.com.notmuch>
From: Willem de Bruijn
> Sent: 19 July 2023 22:34
>
> > >
> > > > The write seems to overflow, but actually not since we use struct
> > > > sockaddr_storage defined in __sys_getsockname().
> > >
> > > Which gives _K_SS_MAXSIZE == 128, minus offsetof(struct sockaddr_ll, sll_addr).
> > >
> > > For fun, there is another caller. getsockopt SO_PEERNAME also calls
> > > sock->ops->getname, with a buffer hardcoded to 128. Should probably
> > > use sizeof(sockaddr_storage) for documentation, at least.
> > >
> > > .. and I just noticed that that was attempted, but not completed
> > > https://lore.kernel.org/lkml/20140928135545.GA23220@type.youpi.perso.aquilenet.fr/
> >
> > Yes, acutally my first draft had the diff below, but I dropped it
> > because packet_getname() does not call memcpy() for SO_PEERNAME at
> > least, and same for getpeername().
> >
> > And interestingly there was a revival thread.
> > https://lore.kernel.org/netdev/20230719084415.1378696-1-leitao@debian.org/
>
> Ah interesting :) Topical.
>
> > I can include this in v2 if needed.
> > What do you think ?
> >
> > ---8<---
> > diff --git a/net/core/sock.c b/net/core/sock.c
> > index 9370fd50aa2c..f1e887c3115f 100644
> > --- a/net/core/sock.c
> > +++ b/net/core/sock.c
> > @@ -1815,14 +1815,14 @@ int sk_getsockopt(struct sock *sk, int level, int optname,
> >
> > case SO_PEERNAME:
> > {
> > - char address[128];
> > + struct sockaddr_storage address;
> >
> > - lv = sock->ops->getname(sock, (struct sockaddr *)address, 2);
> > + lv = sock->ops->getname(sock, (struct sockaddr *)&address, 2);
> > if (lv < 0)
> > return -ENOTCONN;
> > if (lv < len)
> > return -EINVAL;
> > - if (copy_to_sockptr(optval, address, len))
> > + if (copy_to_sockptr(optval, &address, len))
> > return -EFAULT;
> > goto lenout;
> > }
> > ---8<---
>
> I agree that it's a worthwhile change. I think it should be an
> independent commit. And since it does not fix a bug, target net-next.
It is potentially a bug.
There is no requirement that the compiler align 'char address[128]'.
So the accesses could fault later on.
In practise it will be aligned - unless the compiler is being
perverse.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
next prev parent reply other threads:[~2023-07-19 21:38 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-19 18:53 [PATCH v1 net 0/2] net: Fix error/warning by -fstrict-flex-arrays=3 Kuniyuki Iwashima
2023-07-19 18:53 ` [PATCH v1 net 1/2] af_unix: Fix fortify_panic() in unix_bind_bsd() Kuniyuki Iwashima
2023-07-19 22:26 ` Willem de Bruijn
2023-07-19 22:34 ` Kees Cook
2023-07-19 23:15 ` Kuniyuki Iwashima
2023-07-19 18:53 ` [PATCH v1 net 2/2] af_packet: Fix warning of fortified memcpy() in packet_getname() Kuniyuki Iwashima
2023-07-19 21:08 ` Kuniyuki Iwashima
2023-07-19 21:15 ` Willem de Bruijn
2023-07-19 21:27 ` Kuniyuki Iwashima
2023-07-19 21:34 ` Willem de Bruijn
2023-07-19 21:38 ` David Laight [this message]
2023-07-19 21:39 ` Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c391b7352213421da9771e5479d2a6ca@AcuMS.aculab.com \
--to=david.laight@aculab.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gustavoars@kernel.org \
--cc=keescook@chromium.org \
--cc=kuba@kernel.org \
--cc=kuni1840@gmail.com \
--cc=kuniyu@amazon.com \
--cc=leitao@debian.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzkaller@googlegroups.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).