| Message ID | tencent_15CA920ADD9ADDCA19654FBE8DB5A5B88D07@qq.com (mailing list archive) |
|---|---|
| State | Rejected |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | net/socket: Ensure length of input socket option param >= sizeof(int) | expand |
On 4/9/24 14:15, Edward Adam Davis wrote: > The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in > only 2 bytes being allocated when allocating memory to kernel_optval, and the > optval size passed when calling the function copy_from_sockptr() is 4 bytes. > Here, optlen is determined uniformly in the entry function __sys_setsockopt(). > If its value is less than 4, the parameter is considered invalid. > > Reported-by: syzbot+837ba09d9db969068367@syzkaller.appspotmail.com > Reported-by: syzbot+b71011ec0a23f4d15625@syzkaller.appspotmail.com > Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com > Signed-off-by: Edward Adam Davis <eadavis@qq.com> I think I gave my feedback already. Please do not ignore maintainers feedback. This patch is absolutely wrong. Some setsockopt() deal with optlen == 1 just fine, thank you very much.
Hi, On Tue, Apr 9, 2024 at 9:07 AM Eric Dumazet <eric.dumazet@gmail.com> wrote: > > > On 4/9/24 14:15, Edward Adam Davis wrote: > > The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in > > only 2 bytes being allocated when allocating memory to kernel_optval, and the > > optval size passed when calling the function copy_from_sockptr() is 4 bytes. > > Here, optlen is determined uniformly in the entry function __sys_setsockopt(). > > If its value is less than 4, the parameter is considered invalid. > > > > Reported-by: syzbot+837ba09d9db969068367@syzkaller.appspotmail.com > > Reported-by: syzbot+b71011ec0a23f4d15625@syzkaller.appspotmail.com > > Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com > > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > > > I think I gave my feedback already. > > Please do not ignore maintainers feedback. > > This patch is absolutely wrong. > > Some setsockopt() deal with optlen == 1 just fine, thank you very much. +1, I don't think the setsockopt interface has a fixed minimum of sizeof(int), so this is a nak from me as well.
On Tue, 9 Apr 2024 15:07:41 +0200, Eric Dumazet wrote: > > The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in > > only 2 bytes being allocated when allocating memory to kernel_optval, and the > > optval size passed when calling the function copy_from_sockptr() is 4 bytes. > > Here, optlen is determined uniformly in the entry function __sys_setsockopt(). > > If its value is less than 4, the parameter is considered invalid. > > > > Reported-by: syzbot+837ba09d9db969068367@syzkaller.appspotmail.com > > Reported-by: syzbot+b71011ec0a23f4d15625@syzkaller.appspotmail.com > > Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com > > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > > > I think I gave my feedback already. > > Please do not ignore maintainers feedback. > > This patch is absolutely wrong. > > Some setsockopt() deal with optlen == 1 just fine, thank you very much. It's better to use evidence to support your claim, rather than your "maintainer" title.
On Tue, Apr 9, 2024 at 4:02 PM Edward Adam Davis <eadavis@qq.com> wrote: > > On Tue, 9 Apr 2024 15:07:41 +0200, Eric Dumazet wrote: > > > The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in > > > only 2 bytes being allocated when allocating memory to kernel_optval, and the > > > optval size passed when calling the function copy_from_sockptr() is 4 bytes. > > > Here, optlen is determined uniformly in the entry function __sys_setsockopt(). > > > If its value is less than 4, the parameter is considered invalid. > > > > > > Reported-by: syzbot+837ba09d9db969068367@syzkaller.appspotmail.com > > > Reported-by: syzbot+b71011ec0a23f4d15625@syzkaller.appspotmail.com > > > Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com > > > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > > > > > > I think I gave my feedback already. > > > > Please do not ignore maintainers feedback. > > > > This patch is absolutely wrong. > > > > Some setsockopt() deal with optlen == 1 just fine, thank you very much. > It's better to use evidence to support your claim, rather than your "maintainer" title. I will answer since you ask so nicely, but if you plan sending linux kernel patches, I suggest you look in the source code. Look at do_ip_setsockopt(), which is one of the most used setsockopt() in the world. The code is at least 20 years old. It even supports optlen == 0 if (optlen >= sizeof(int)) { if (copy_from_sockptr(&val, optval, sizeof(val))) return -EFAULT; } else if (optlen >= sizeof(char)) { unsigned char ucval; if (copy_from_sockptr(&ucval, optval, sizeof(ucval))) return -EFAULT; val = (int) ucval; } } /* If optlen==0, it is equivalent to val == 0 */
On Tue, 9 Apr 2024 22:01:45 +0800 Edward Adam Davis wrote: > > I think I gave my feedback already. > > > > Please do not ignore maintainers feedback. > > > > This patch is absolutely wrong. > > > > Some setsockopt() deal with optlen == 1 just fine, thank you very much. > > It's better to use evidence to support your claim, rather than your "maintainer" title. Run selftests.
diff --git a/net/socket.c b/net/socket.c index e5f3af49a8b6..ac8fd4f6ebfe 100644 --- a/net/socket.c +++ b/net/socket.c @@ -2327,6 +2327,9 @@ int __sys_setsockopt(int fd, int level, int optname, char __user *user_optval, int err, fput_needed; struct socket *sock; + if (optlen < sizeof(int)) + return -EINVAL; + sock = sockfd_lookup_light(fd, &err, &fput_needed); if (!sock) return err;
The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in only 2 bytes being allocated when allocating memory to kernel_optval, and the optval size passed when calling the function copy_from_sockptr() is 4 bytes. Here, optlen is determined uniformly in the entry function __sys_setsockopt(). If its value is less than 4, the parameter is considered invalid. Reported-by: syzbot+837ba09d9db969068367@syzkaller.appspotmail.com Reported-by: syzbot+b71011ec0a23f4d15625@syzkaller.appspotmail.com Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- net/socket.c | 3 +++ 1 file changed, 3 insertions(+)