From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75159C678D5 for ; Tue, 7 Mar 2023 17:46:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232011AbjCGRqx (ORCPT ); Tue, 7 Mar 2023 12:46:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35264 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232019AbjCGRq1 (ORCPT ); Tue, 7 Mar 2023 12:46:27 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD6DDCA23 for ; Tue, 7 Mar 2023 09:41:30 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 6CB47B819BB for ; Tue, 7 Mar 2023 17:41:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C386CC433D2; Tue, 7 Mar 2023 17:41:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1678210889; bh=kdtPLffp0suWmww4+ZPOFlY086JqNVxevVOpX3FHGYw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mG0VKLvRycPkpj6StrUS3l4vbRCbgj4v8yuoxXed5GJIBlLo+yNLPMQbv9iIYXCua NYzK+Mo7GtHZgTjdr0K6yy7kA7ozbWv8qNC1mQGkfxhgwSEM1xvNhcWzrHWPFUDaKQ OWEHlkTjzBhIzO92cmdAyLh9QJYzIKeqLZD4oQu0= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Eric Dumazet , Kees Cook , "David S. Miller" , Sasha Levin Subject: [PATCH 6.2 0685/1001] scm: add user copy checks to put_cmsg() Date: Tue, 7 Mar 2023 17:57:37 +0100 Message-Id: <20230307170051.336046887@linuxfoundation.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230307170022.094103862@linuxfoundation.org> References: <20230307170022.094103862@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Dumazet [ Upstream commit 5f1eb1ff58ea122e24adf0bc940f268ed2227462 ] This is a followup of commit 2558b8039d05 ("net: use a bounce buffer for copying skb->mark") x86 and powerpc define user_access_begin, meaning that they are not able to perform user copy checks when using user_write_access_begin() / unsafe_copy_to_user() and friends [1] Instead of waiting bugs to trigger on other arches, add a check_object_size() in put_cmsg() to make sure that new code tested on x86 with CONFIG_HARDENED_USERCOPY=y will perform more security checks. [1] We can not generically call check_object_size() from unsafe_copy_to_user() because UACCESS is enabled at this point. Signed-off-by: Eric Dumazet Cc: Kees Cook Acked-by: Kees Cook Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/core/scm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/core/scm.c b/net/core/scm.c index 5c356f0dee30c..acb7d776fa6ec 100644 --- a/net/core/scm.c +++ b/net/core/scm.c @@ -229,6 +229,8 @@ int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data) if (msg->msg_control_is_user) { struct cmsghdr __user *cm = msg->msg_control_user; + check_object_size(data, cmlen - sizeof(*cm), true); + if (!user_write_access_begin(cm, cmlen)) goto efault; -- 2.39.2