From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Kees Cook <keescook@chromium.org>,
Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
Willem de Bruijn <willemb@google.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 6.6 06/21] af_packet: avoid a false positive warning in packet_setsockopt()
Date: Mon, 27 May 2024 10:15:17 -0400 [thread overview]
Message-ID: <20240527141551.3853516-6-sashal@kernel.org> (raw)
In-Reply-To: <20240527141551.3853516-1-sashal@kernel.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 86d43e2bf93ccac88ef71cee36a23282ebd9e427 ]
Although the code is correct, the following line
copy_from_sockptr(&req_u.req, optval, len));
triggers this warning :
memcpy: detected field-spanning write (size 28) of single field "dst" at include/linux/sockptr.h:49 (size 16)
Refactor the code to be more explicit.
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/packet/af_packet.c | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index f017d7d33da39..7beb36c2eafa9 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3806,28 +3806,30 @@ packet_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval,
case PACKET_TX_RING:
{
union tpacket_req_u req_u;
- int len;
+ ret = -EINVAL;
lock_sock(sk);
switch (po->tp_version) {
case TPACKET_V1:
case TPACKET_V2:
- len = sizeof(req_u.req);
+ if (optlen < sizeof(req_u.req))
+ break;
+ ret = copy_from_sockptr(&req_u.req, optval,
+ sizeof(req_u.req)) ?
+ -EINVAL : 0;
break;
case TPACKET_V3:
default:
- len = sizeof(req_u.req3);
+ if (optlen < sizeof(req_u.req3))
+ break;
+ ret = copy_from_sockptr(&req_u.req3, optval,
+ sizeof(req_u.req3)) ?
+ -EINVAL : 0;
break;
}
- if (optlen < len) {
- ret = -EINVAL;
- } else {
- if (copy_from_sockptr(&req_u.req, optval, len))
- ret = -EFAULT;
- else
- ret = packet_set_ring(sk, &req_u, 0,
- optname == PACKET_TX_RING);
- }
+ if (!ret)
+ ret = packet_set_ring(sk, &req_u, 0,
+ optname == PACKET_TX_RING);
release_sock(sk);
return ret;
}
--
2.43.0
next prev parent reply other threads:[~2024-05-27 14:16 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-27 14:15 [PATCH AUTOSEL 6.6 01/21] ssb: Fix potential NULL pointer dereference in ssb_device_uevent() Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 02/21] selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 03/21] selftests/bpf: Fix flaky test btf_map_in_map/lookup_update Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 04/21] batman-adv: bypass empty buckets in batadv_purge_orig_ref() Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 05/21] wifi: ath9k: work around memset overflow warning Sasha Levin
2024-05-27 14:15 ` Sasha Levin [this message]
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 07/21] ACPI: x86: Add PNP_UART1_SKIP quirk for Lenovo Blade2 tablets Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 08/21] net: sfp: add quirk for another multigig RollBall transceiver Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 09/21] drop_monitor: replace spin_lock by raw_spin_lock Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 10/21] scsi: qedi: Fix crash while reading debugfs attribute Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 11/21] net: sfp: add quirk for ATS SFP-GE-T 1000Base-TX module Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 12/21] net/sched: fix false lockdep warning on qdisc root lock Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 13/21] kselftest: arm64: Add a null pointer check Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 14/21] net: dsa: realtek: keep default LED state in rtl8366rb Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 15/21] netpoll: Fix race condition in netpoll_owner_active Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 16/21] wifi: mt76: mt7921s: fix potential hung tasks during chip recovery Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 17/21] HID: Add quirk for Logitech Casa touchpad Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 18/21] HID: asus: fix more n-key report descriptors if n-key quirked Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 19/21] ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 Sasha Levin
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 20/21] HID: bpf: add in-tree HID-BPF fix for the HP Elite Presenter Mouse Sasha Levin
2024-05-27 14:49 ` Benjamin Tissoires
2024-05-27 14:15 ` [PATCH AUTOSEL 6.6 21/21] Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240527141551.3853516-6-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=keescook@chromium.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=willemb@google.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox