From patchwork Thu Sep 30 16:24:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralf Baechle X-Patchwork-Id: 12528875 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CBD4AC433EF for ; Thu, 30 Sep 2021 16:24:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9B3BA61139 for ; Thu, 30 Sep 2021 16:24:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350550AbhI3Q0a (ORCPT ); Thu, 30 Sep 2021 12:26:30 -0400 Received: from relay1-d.mail.gandi.net ([217.70.183.193]:33379 "EHLO relay1-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350163AbhI3Q0Z (ORCPT ); Thu, 30 Sep 2021 12:26:25 -0400 Received: (Authenticated sender: ralf@linux-mips.org) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id A9A16240005; Thu, 30 Sep 2021 16:24:37 +0000 (UTC) Date: Thu, 30 Sep 2021 18:24:35 +0200 From: Ralf Baechle To: netdev@vger.kernel.org Cc: "David S. Miller" , Jakub Kicinski , Christoph Hellwig , Thomas Osterried , linux-hams@vger.kernel.org Subject: [PATCH] ax25: Fix use of copy_from_sockptr() in ax25_setsockopt() Message-ID: MIME-Version: 1.0 Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org The destination pointer passed to copy_from_sockptr() is an unsigned long * but the source in userspace is an unsigned int * resulting in an integer of the wrong size being copied from userspace. This happens to work on 32 bit but breaks 64-bit where bytes 4..7 will not be initialized. By luck it may work on little endian but on big endian where the userspace data is copied to the upper 32 bit of the destination it's most likely going to break. A simple test case to demonstrate this setsockopt() issue is: [...] int sk = socket(AF_AX25, SOCK_SEQPACKET, 0); int n1 = 42; int res = setsockopt(sk, SOL_AX25, AX25_T1, &n1, sizeof(n1)); printf("res = %d\n", res); [...] Signed-off-by: Ralf Baechle Cc: stable@vger.kernel.org # 5.9 Fixes: a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt") Reported-by: kernel test robot Reviewed-by: Christoph Hellwig --- net/ax25/af_ax25.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 2631efc6e359..9f2e4b76394a 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -534,7 +534,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, ax25_cb *ax25; struct net_device *dev; char devname[IFNAMSIZ]; - unsigned long opt; + unsigned int opt; int res = 0; if (level != SOL_AX25)