[net] net: validate SO_TXTIME clockid coming from userspace

Message ID	20240528224935.1020828-1-quic_abchauha@quicinc.com (mailing list archive)
State	Superseded
Delegated to:	Netdev Maintainers
Headers	show Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CB98517E8F3; Tue, 28 May 2024 22:49:59 +0000 (UTC) From: Abhishek Chauhan <quic_abchauha@quicinc.com> To: "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Andrew Halaney <ahalaney@redhat.com>, Willem de Bruijn <willemdebruijn.kernel@gmail.com>, Martin KaFai Lau <martin.lau@kernel.org>, Martin KaFai Lau <martin.lau@linux.dev>, Daniel Borkmann <daniel@iogearbox.net>, bpf <bpf@vger.kernel.org> Cc: kernel@quicinc.com, syzbot+d7b227731ec589e7f4f0@syzkaller.appspotmail.com, syzbot+30a35a2e9c5067cc43fa@syzkaller.appspotmail.com Subject: [PATCH net] net: validate SO_TXTIME clockid coming from userspace Date: Tue, 28 May 2024 15:49:35 -0700 Message-Id: <20240528224935.1020828-1-quic_abchauha@quicinc.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[net] net: validate SO_TXTIME clockid coming from userspace \| expand [net] net: validate SO_TXTIME clockid coming from userspace

Context	Check	Description
netdev/series_format	success	Single patches do not need cover letters
netdev/tree_selection	success	Clearly marked for net
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag present in non-next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	fail	Errors and warnings before: 49 this patch: 49
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	success	CCed 5 of 5 maintainers
netdev/build_clang	fail	Errors and warnings before: 36 this patch: 36
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	fail	Problems with Fixes tag: 1
netdev/build_allmodconfig_warn	fail	Errors and warnings before: 49 this patch: 49
netdev/checkpatch	warning	WARNING: Unknown commit id '1693c5db6ab8', maybe rebased or not pulled?
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 9 this patch: 9
netdev/source_inline	success	Was 0 now: 0

Abhishek Chauhan (ABC) May 28, 2024, 10:49 p.m. UTC

Currently there are no strict checks while setting SO_TXTIME
from userspace. With the recent development in skb->tstamp_type
clockid with unsupported clocks results in warn_on_once, which causes
unnecessary aborts in some systems which enables panic on warns.

Add validation in setsockopt to support only CLOCK_REALTIME,
CLOCK_MONOTONIC and CLOCK_TAI to be set from userspace.

Link: https://lore.kernel.org/netdev/bc037db4-58bb-4861-ac31-a361a93841d3@linux.dev/
Link: https://lore.kernel.org/lkml/20240509211834.3235191-1-quic_abchauha@quicinc.com/
Fixes: 1693c5db6ab8 ("net: Add additional bit to support clockid_t timestamp type")
Reported-by: syzbot+d7b227731ec589e7f4f0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d7b227731ec589e7f4f0
Reported-by: syzbot+30a35a2e9c5067cc43fa@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=30a35a2e9c5067cc43fa
Signed-off-by: Abhishek Chauhan <quic_abchauha@quicinc.com>
---
 net/core/sock.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

Martin KaFai Lau May 29, 2024, 1:15 a.m. UTC | #1

On 5/28/24 3:49 PM, Abhishek Chauhan wrote:
> Currently there are no strict checks while setting SO_TXTIME
> from userspace. With the recent development in skb->tstamp_type
> clockid with unsupported clocks results in warn_on_once, which causes
> unnecessary aborts in some systems which enables panic on warns.
> 
> Add validation in setsockopt to support only CLOCK_REALTIME,
> CLOCK_MONOTONIC and CLOCK_TAI to be set from userspace.
> 
> Link: https://lore.kernel.org/netdev/bc037db4-58bb-4861-ac31-a361a93841d3@linux.dev/
> Link: https://lore.kernel.org/lkml/20240509211834.3235191-1-quic_abchauha@quicinc.com/
> Fixes: 1693c5db6ab8 ("net: Add additional bit to support clockid_t timestamp type")

Patch lgtm. This should target for net-next instead of net. The Fixes patch is 
in net-next only.

Acked-by: Martin KaFai Lau <martin.lau@kernel.org>

Abhishek Chauhan (ABC) May 29, 2024, 3:32 a.m. UTC | #2

On 5/28/2024 6:15 PM, Martin KaFai Lau wrote:
> On 5/28/24 3:49 PM, Abhishek Chauhan wrote:
>> Currently there are no strict checks while setting SO_TXTIME
>> from userspace. With the recent development in skb->tstamp_type
>> clockid with unsupported clocks results in warn_on_once, which causes
>> unnecessary aborts in some systems which enables panic on warns.
>>
>> Add validation in setsockopt to support only CLOCK_REALTIME,
>> CLOCK_MONOTONIC and CLOCK_TAI to be set from userspace.
>>
>> Link: https://lore.kernel.org/netdev/bc037db4-58bb-4861-ac31-a361a93841d3@linux.dev/
>> Link: https://lore.kernel.org/lkml/20240509211834.3235191-1-quic_abchauha@quicinc.com/
>> Fixes: 1693c5db6ab8 ("net: Add additional bit to support clockid_t timestamp type")
> 
> Patch lgtm. This should target for net-next instead of net. The Fixes patch is in net-next only.
> 
Thanks Martin. Let me raise a patch on net-next and add your acked-by to it as well. 

> Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
>

Willem de Bruijn May 29, 2024, 1:58 p.m. UTC | #3

minor: double space before userspace

Abhishek Chauhan wrote:
> Currently there are no strict checks while setting SO_TXTIME
> from userspace. With the recent development in skb->tstamp_type
> clockid with unsupported clocks results in warn_on_once, which causes
> unnecessary aborts in some systems which enables panic on warns.
> 
> Add validation in setsockopt to support only CLOCK_REALTIME,
> CLOCK_MONOTONIC and CLOCK_TAI to be set from userspace.
> 
> Link: https://lore.kernel.org/netdev/bc037db4-58bb-4861-ac31-a361a93841d3@linux.dev/
> Link: https://lore.kernel.org/lkml/20240509211834.3235191-1-quic_abchauha@quicinc.com/

These discussions can be found directly from the referenced commit?
If any, I'd like to the conversation we had that arrived at this
approach.

> Fixes: 1693c5db6ab8 ("net: Add additional bit to support clockid_t timestamp type")
> Reported-by: syzbot+d7b227731ec589e7f4f0@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=d7b227731ec589e7f4f0
> Reported-by: syzbot+30a35a2e9c5067cc43fa@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=30a35a2e9c5067cc43fa
> Signed-off-by: Abhishek Chauhan <quic_abchauha@quicinc.com>
> ---
>  net/core/sock.c | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/net/core/sock.c b/net/core/sock.c
> index 8629f9aecf91..f8374be9d8c9 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -1083,6 +1083,17 @@ bool sockopt_capable(int cap)
>  }
>  EXPORT_SYMBOL(sockopt_capable);
>  
> +static int sockopt_validate_clockid(int value)

sock_txtime.clockid has type __kernel_clockid_t.

> +{
> +	switch (value) {
> +	case CLOCK_REALTIME:
> +	case CLOCK_MONOTONIC:
> +	case CLOCK_TAI:
> +		return 0;
> +	}
> +	return -EINVAL;
> +}
> +
>  /*
>   *	This is meant for all protocols to use and covers goings on
>   *	at the socket level. Everything here is generic.
> @@ -1497,6 +1508,11 @@ int sk_setsockopt(struct sock *sk, int level, int optname,
>  			ret = -EPERM;
>  			break;
>  		}
> +
> +		ret = sockopt_validate_clockid(sk_txtime.clockid);
> +		if (ret)
> +			break;
> +
>  		sock_valbool_flag(sk, SOCK_TXTIME, true);
>  		sk->sk_clockid = sk_txtime.clockid;
>  		sk->sk_txtime_deadline_mode =
> -- 
> 2.25.1
>

Abhishek Chauhan (ABC) May 29, 2024, 3:49 p.m. UTC | #4

On 5/29/2024 6:58 AM, Willem de Bruijn wrote:
> minor: double space before userspace
> 
> Abhishek Chauhan wrote:
>> Currently there are no strict checks while setting SO_TXTIME
>> from userspace. With the recent development in skb->tstamp_type
>> clockid with unsupported clocks results in warn_on_once, which causes
>> unnecessary aborts in some systems which enables panic on warns.
>>
>> Add validation in setsockopt to support only CLOCK_REALTIME,
>> CLOCK_MONOTONIC and CLOCK_TAI to be set from userspace.
>>
>> Link: https://lore.kernel.org/netdev/bc037db4-58bb-4861-ac31-a361a93841d3@linux.dev/
>> Link: https://lore.kernel.org/lkml/20240509211834.3235191-1-quic_abchauha@quicinc.com/
> 
> These discussions can be found directly from the referenced commit?
> If any, I'd like to the conversation we had that arrived at this
> approach.
> 
Not Directly but from the patch series. 
1. First link is for why we introduced skb->tstamp_type 
2. Second link points to the series were we discussed on two approach to solve the problem 
one being limit the skclockid to just TAI,MONO and REALTIME. 



>> Fixes: 1693c5db6ab8 ("net: Add additional bit to support clockid_t timestamp type")
>> Reported-by: syzbot+d7b227731ec589e7f4f0@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=d7b227731ec589e7f4f0
>> Reported-by: syzbot+30a35a2e9c5067cc43fa@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=30a35a2e9c5067cc43fa
>> Signed-off-by: Abhishek Chauhan <quic_abchauha@quicinc.com>
>> ---
>>  net/core/sock.c | 16 ++++++++++++++++
>>  1 file changed, 16 insertions(+)
>>
>> diff --git a/net/core/sock.c b/net/core/sock.c
>> index 8629f9aecf91..f8374be9d8c9 100644
>> --- a/net/core/sock.c
>> +++ b/net/core/sock.c
>> @@ -1083,6 +1083,17 @@ bool sockopt_capable(int cap)
>>  }
>>  EXPORT_SYMBOL(sockopt_capable);
>>  
>> +static int sockopt_validate_clockid(int value)
> 
> sock_txtime.clockid has type __kernel_clockid_t.
> 

 __kernel_clockid_t is typedef of int.  

>> +{
>> +	switch (value) {
>> +	case CLOCK_REALTIME:
>> +	case CLOCK_MONOTONIC:
>> +	case CLOCK_TAI:
>> +		return 0;
>> +	}
>> +	return -EINVAL;
>> +}
>> +
>>  /*
>>   *	This is meant for all protocols to use and covers goings on
>>   *	at the socket level. Everything here is generic.
>> @@ -1497,6 +1508,11 @@ int sk_setsockopt(struct sock *sk, int level, int optname,
>>  			ret = -EPERM;
>>  			break;
>>  		}
>> +
>> +		ret = sockopt_validate_clockid(sk_txtime.clockid);
>> +		if (ret)
>> +			break;
>> +
>>  		sock_valbool_flag(sk, SOCK_TXTIME, true);
>>  		sk->sk_clockid = sk_txtime.clockid;
>>  		sk->sk_txtime_deadline_mode =
>> -- 
>> 2.25.1
>>
> 
>

Willem de Bruijn May 29, 2024, 4 p.m. UTC | #5

Abhishek Chauhan (ABC) wrote:
> 
> 
> On 5/29/2024 6:58 AM, Willem de Bruijn wrote:
> > minor: double space before userspace
> > 
> > Abhishek Chauhan wrote:
> >> Currently there are no strict checks while setting SO_TXTIME
> >> from userspace. With the recent development in skb->tstamp_type
> >> clockid with unsupported clocks results in warn_on_once, which causes
> >> unnecessary aborts in some systems which enables panic on warns.
> >>
> >> Add validation in setsockopt to support only CLOCK_REALTIME,
> >> CLOCK_MONOTONIC and CLOCK_TAI to be set from userspace.
> >>
> >> Link: https://lore.kernel.org/netdev/bc037db4-58bb-4861-ac31-a361a93841d3@linux.dev/
> >> Link: https://lore.kernel.org/lkml/20240509211834.3235191-1-quic_abchauha@quicinc.com/
> > 
> > These discussions can be found directly from the referenced commit?
> > If any, I'd like to the conversation we had that arrived at this
> > approach.
> > 
> Not Directly but from the patch series. 
> 1. First link is for why we introduced skb->tstamp_type 
> 2. Second link points to the series were we discussed on two approach to solve the problem 
> one being limit the skclockid to just TAI,MONO and REALTIME. 

Ah, I missed that.
Perhaps point directly to the start of that follow-up conversation?

https://lore.kernel.org/lkml/6bdba7b6-fd22-4ea5-a356-12268674def1@quicinc.com/

> 
> 
> >> Fixes: 1693c5db6ab8 ("net: Add additional bit to support clockid_t timestamp type")
> >> Reported-by: syzbot+d7b227731ec589e7f4f0@syzkaller.appspotmail.com
> >> Closes: https://syzkaller.appspot.com/bug?extid=d7b227731ec589e7f4f0
> >> Reported-by: syzbot+30a35a2e9c5067cc43fa@syzkaller.appspotmail.com
> >> Closes: https://syzkaller.appspot.com/bug?extid=30a35a2e9c5067cc43fa
> >> Signed-off-by: Abhishek Chauhan <quic_abchauha@quicinc.com>
> >> ---
> >>  net/core/sock.c | 16 ++++++++++++++++
> >>  1 file changed, 16 insertions(+)
> >>
> >> diff --git a/net/core/sock.c b/net/core/sock.c
> >> index 8629f9aecf91..f8374be9d8c9 100644
> >> --- a/net/core/sock.c
> >> +++ b/net/core/sock.c
> >> @@ -1083,6 +1083,17 @@ bool sockopt_capable(int cap)
> >>  }
> >>  EXPORT_SYMBOL(sockopt_capable);
> >>  
> >> +static int sockopt_validate_clockid(int value)
> > 
> > sock_txtime.clockid has type __kernel_clockid_t.
> > 
> 
>  __kernel_clockid_t is typedef of int.  

It is now, but the stricter type definition exists for a reason.
Try to keep the strict types where possible. Besides aiding
syntactic checks, it also helps self document code.

Abhishek Chauhan (ABC) May 29, 2024, 4:04 p.m. UTC | #6

On 5/29/2024 9:00 AM, Willem de Bruijn wrote:
> Abhishek Chauhan (ABC) wrote:
>>
>>
>> On 5/29/2024 6:58 AM, Willem de Bruijn wrote:
>>> minor: double space before userspace
>>>
>>> Abhishek Chauhan wrote:
>>>> Currently there are no strict checks while setting SO_TXTIME
>>>> from userspace. With the recent development in skb->tstamp_type
>>>> clockid with unsupported clocks results in warn_on_once, which causes
>>>> unnecessary aborts in some systems which enables panic on warns.
>>>>
>>>> Add validation in setsockopt to support only CLOCK_REALTIME,
>>>> CLOCK_MONOTONIC and CLOCK_TAI to be set from userspace.
>>>>
>>>> Link: https://lore.kernel.org/netdev/bc037db4-58bb-4861-ac31-a361a93841d3@linux.dev/
>>>> Link: https://lore.kernel.org/lkml/20240509211834.3235191-1-quic_abchauha@quicinc.com/
>>>
>>> These discussions can be found directly from the referenced commit?
>>> If any, I'd like to the conversation we had that arrived at this
>>> approach.
>>>
>> Not Directly but from the patch series. 
>> 1. First link is for why we introduced skb->tstamp_type 
>> 2. Second link points to the series were we discussed on two approach to solve the problem 
>> one being limit the skclockid to just TAI,MONO and REALTIME. 
> 
> Ah, I missed that.
> Perhaps point directly to the start of that follow-up conversation?
> Thanks Willem, Let me do that when i raise the net-next patch. 
> https://lore.kernel.org/lkml/6bdba7b6-fd22-4ea5-a356-12268674def1@quicinc.com/
> 
>>
>>
>>>> Fixes: 1693c5db6ab8 ("net: Add additional bit to support clockid_t timestamp type")
>>>> Reported-by: syzbot+d7b227731ec589e7f4f0@syzkaller.appspotmail.com
>>>> Closes: https://syzkaller.appspot.com/bug?extid=d7b227731ec589e7f4f0
>>>> Reported-by: syzbot+30a35a2e9c5067cc43fa@syzkaller.appspotmail.com
>>>> Closes: https://syzkaller.appspot.com/bug?extid=30a35a2e9c5067cc43fa
>>>> Signed-off-by: Abhishek Chauhan <quic_abchauha@quicinc.com>
>>>> ---
>>>>  net/core/sock.c | 16 ++++++++++++++++
>>>>  1 file changed, 16 insertions(+)
>>>>
>>>> diff --git a/net/core/sock.c b/net/core/sock.c
>>>> index 8629f9aecf91..f8374be9d8c9 100644
>>>> --- a/net/core/sock.c
>>>> +++ b/net/core/sock.c
>>>> @@ -1083,6 +1083,17 @@ bool sockopt_capable(int cap)
>>>>  }
>>>>  EXPORT_SYMBOL(sockopt_capable);
>>>>  
>>>> +static int sockopt_validate_clockid(int value)
>>>
>>> sock_txtime.clockid has type __kernel_clockid_t.
>>>
>>
>>  __kernel_clockid_t is typedef of int.  
>> It is now, but the stricter type definition exists for a reason.
> Try to keep the strict types where possible. Besides aiding
> syntactic checks, it also helps self document code.
Okay i see what you are saying. Makes sense. I will change it to __kernel_clockid_t

[net] net: validate SO_TXTIME clockid coming from userspace

Checks

Commit Message

Comments

Patch