| Message ID | 20231102191914.52957-2-pstanner@redhat.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:8f47:0:b0:403:3b70:6f57 with SMTP id j7csp586390vqu;
Thu, 2 Nov 2023 12:20:38 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IHGxOI4Jlyx1dAWqceXfd3J9w3BhqiHmwwX1yYPVD8oNt8ZkO5ZwErumciKTlBV4eReHpAo
X-Received: by 2002:a05:6a00:10d2:b0:68a:3ba3:e249 with SMTP id
d18-20020a056a0010d200b0068a3ba3e249mr23290081pfu.16.1698952838315;
Thu, 02 Nov 2023 12:20:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698952838; cv=none;
d=google.com; s=arc-20160816;
b=vSk8AjVy8X/ogybXw3pwz1rWtobC0iuXwKRDH+y7h1btK+d2TQKZilOTJoEywwAApp
9fnfTUJNgR/WNutcn4ZSuJI1/j3+OwoMekOKZlLwxeiFUWCw2IcYoDteBHgqU1kkiNR5
awNo5aIJ3z6K4Vo/J6TuvGJuQ/BG4irOyyrv/Lzy3TFhZIlJbIVMPvPJKrgyCwMDQWRA
0pZYEkd5mOii/bKc/fp11tyy6eJ34A9sDO6GL1qjvS92Cd0m2NYNQ1aPNVe/8yqDOE8o
xZEVte+dIV5GmDTsRMI1RdiqsnnX/MlGnAdPBvsud3LoDscMsBJzW7vLCXZy/3IPpIvB
pgZw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=VH/N2+u/BX61pZEFnFU4abdjTRFxE7atZBHYbezDKHQ=;
fh=5gehztVVtm/u5sGB1tOX4nsrNiYQNBSdXfjnCMVCu0Q=;
b=mrYeQuwGmLLzk72SgmjNW652aST1B22Z95Lk+UuVEe351EvTkBlxPR99thSx3Tprf3
1ABUMFdw1IJLHFvqq0TzVEysJhm3wLriQyMjjQHg7KVd/UlDjLUVs7HIrtgPclCFGZqt
I/+XxAZKYa4jBfHr57Ld7MyZMDach4p+CF6Cb3LpwKTS6SEmsKisJcCVvU5oKVJGvNi0
oRDzm5NQmkHn2RqLrfa0L6Yw6hAj5E0F0mjj7fEEgILWYRLL9sitff/yXVUJBRAuFsG3
reKQr5TnpZE6ROZe5LeDZD1AlGvveaKfstXWo6vYALjTDdgeWa2TFFkq+kiisfuDUA2l
27TQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=Vhva4KTk;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3])
by mx.google.com with ESMTPS id
m130-20020a633f88000000b0059bb496956csi156975pga.202.2023.11.02.12.20.37
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 02 Nov 2023 12:20:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
client-ip=2620:137:e000::3:3;
Authentication-Results: mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=Vhva4KTk;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by lipwig.vger.email (Postfix) with ESMTP id 1484A822B8CE;
Thu, 2 Nov 2023 12:20:36 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1345380AbjKBTUT (ORCPT <rfc822;heyuhang3455@gmail.com>
+ 35 others); Thu, 2 Nov 2023 15:20:19 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53974 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S233257AbjKBTUS (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 2 Nov 2023 15:20:18 -0400
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 04BC3184
for <linux-kernel@vger.kernel.org>;
Thu, 2 Nov 2023 12:19:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1698952769;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=VH/N2+u/BX61pZEFnFU4abdjTRFxE7atZBHYbezDKHQ=;
b=Vhva4KTkpA0DZA+QYn4Huiv8TbDsZRogH7ulMW9S5BCIFkDFUAo9eBON/hrSj2HvikXXU2
Gs+mooYwendhU0CvCO+jhe9l75f9Dk0p1ABcZFpnJvMfbSchd5dMSCbKa1rOi9aNp1dxlS
gWHZhsn1unrtBssJOMtstUjy4RYGZVg=
Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com
[209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS
(version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
us-mta-64-zdbuHNtHMOSt-W6XXiHcgg-1; Thu, 02 Nov 2023 15:19:27 -0400
X-MC-Unique: zdbuHNtHMOSt-W6XXiHcgg-1
Received: by mail-wr1-f70.google.com with SMTP id
ffacd0b85a97d-32dfbc50f1dso172025f8f.1
for <linux-kernel@vger.kernel.org>;
Thu, 02 Nov 2023 12:19:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1698952766; x=1699557566;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=VH/N2+u/BX61pZEFnFU4abdjTRFxE7atZBHYbezDKHQ=;
b=TB7uKQehhvTtNM3RKe1hhUorkZsENsjEVwn62QolLSMwpB8mcKMadBm4BLunp8Ad8v
Sl96QcV6k36HVTFLuvZTD2KDaxKkYAgOCnVXg/mXIfbpJzUqGdKGDqOt9Ddw0ZC2w0Xt
142dwOUVdeJ1c4d2TdLNsXXB6Rj1BW7ekikCpuMsWNEMDpoDNuSvZCD4cyoux5WnwcX1
WCj5R6ehpLh72kkfGrRrET9DMHST32ugBR88o8Dk1LtPMQwLKT2bK4i7OhViz4IWZPig
Mm35bKvb6pBV1xWANOW5Et9AVCm0IqbCPE3HBYo0n1o8l5DdtzlCraW4GAvpz1P8mT3m
ZkXQ==
X-Gm-Message-State: AOJu0YwRkYjeerFKLoC4F6nDrEQe1PliXUwc8Z+BRc03A82zmmFKw9a4
hcukHmSYf9XgMnZfjcb/CVcB+84v6XL21vM70kcfRzAdy0VmOA45yA9tTqJ2A44pcf5m/Qi6ZX3
4VRZ+4XBtz4b6TOzl/QC3wH5B
X-Received: by 2002:a05:600c:510a:b0:405:1ba2:4fcf with SMTP id
o10-20020a05600c510a00b004051ba24fcfmr15748999wms.4.1698952766729;
Thu, 02 Nov 2023 12:19:26 -0700 (PDT)
X-Received: by 2002:a05:600c:510a:b0:405:1ba2:4fcf with SMTP id
o10-20020a05600c510a00b004051ba24fcfmr15748984wms.4.1698952766361;
Thu, 02 Nov 2023 12:19:26 -0700 (PDT)
Received: from pstanner-thinkpadt14sgen1.remote.csb
([2001:9e8:32c5:d600:227b:d2ff:fe26:2a7a])
by smtp.gmail.com with ESMTPSA id
v3-20020a5d4a43000000b003232380ffd7sm86618wrs.102.2023.11.02.12.19.25
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 02 Nov 2023 12:19:25 -0700 (PDT)
From: Philipp Stanner <pstanner@redhat.com>
To: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Stanislav Fomichev <sdf@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Benjamin Tissoires <benjamin.tissoires@redhat.com>,
Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-ppp@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
Philipp Stanner <pstanner@redhat.com>,
Dave Airlie <airlied@redhat.com>
Subject: [PATCH] drivers/net/ppp: copy userspace array safely
Date: Thu, 2 Nov 2023 20:19:15 +0100
Message-ID: <20231102191914.52957-2-pstanner@redhat.com>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.3 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]);
Thu, 02 Nov 2023 12:20:36 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1781481171679556407
X-GMAIL-MSGID: 1781481171679556407
|
| Series |
drivers/net/ppp: copy userspace array safely
|
|
Commit Message
Philipp Stanner
Nov. 2, 2023, 7:19 p.m. UTC
In ppp_generic.c memdup_user() is utilized to copy a userspace array.
This is done without an overflow check.
Use the new wrapper memdup_array_user() to copy the array more safely.
Suggested-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
---
drivers/net/ppp/ppp_generic.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
On Thu, Nov 02, 2023 at 08:19:15PM +0100, Philipp Stanner wrote: > In ppp_generic.c memdup_user() is utilized to copy a userspace array. > This is done without an overflow check. > > Use the new wrapper memdup_array_user() to copy the array more safely. > fprog.len = uprog->len; > - fprog.filter = memdup_user(uprog->filter, > - uprog->len * sizeof(struct sock_filter)); > + fprog.filter = memdup_array_user(uprog->filter, > + uprog->len, sizeof(struct sock_filter)); Far be it from me to discourage security theat^Whardening, but struct sock_fprog { /* Required for SO_ATTACH_FILTER. */ unsigned short len; /* Number of filter blocks */ struct sock_filter __user *filter; }; struct sock_filter { /* Filter block */ __u16 code; /* Actual filter code */ __u8 jt; /* Jump true */ __u8 jf; /* Jump false */ __u32 k; /* Generic multiuse field */ }; so you might want to mention that overflow in question would have to be in multiplying an untrusted 16bit value by 8...
Hallo Al, On Thu, 2023-11-02 at 20:09 +0000, Al Viro wrote: > On Thu, Nov 02, 2023 at 08:19:15PM +0100, Philipp Stanner wrote: > > In ppp_generic.c memdup_user() is utilized to copy a userspace > > array. > > This is done without an overflow check. > > > > Use the new wrapper memdup_array_user() to copy the array more > > safely. > > > fprog.len = uprog->len; > > - fprog.filter = memdup_user(uprog->filter, > > - uprog->len * sizeof(struct > > sock_filter)); > > + fprog.filter = memdup_array_user(uprog->filter, > > + uprog->len, sizeof(struct > > sock_filter)); > > Far be it from me to discourage security theat^Whardening, but a bit about the background here: (tl;dr: No reason to worry, I am not one of those security fanatics. In fact, I worked for 12 months with those people with some mixed experiences ^^') (btw, note that the commit says 'safety', not 'security') We introduced those wrappers to string.h hoping they will be useful. Now that they're merged, I quickly wanted to establish them as the standard for copying user-arrays, ideally in the current merge window. Because its convenient, easy to read and, at times, safer. I just want to help out a bit in the kernel, clean up here and there; it's not yet the primary task assigned to me by my employer. Thus, I quickly prepared 13 patches today implementing the wrapper. You'll find the others on LKML. Getting to: > > struct sock_fprog { /* Required for SO_ATTACH_FILTER. */ > unsigned short len; /* Number of filter blocks */ > struct sock_filter __user *filter; > }; > > struct sock_filter { /* Filter block */ > __u16 code; /* Actual filter code */ > __u8 jt; /* Jump true */ > __u8 jf; /* Jump false */ > __u32 k; /* Generic multiuse field */ > }; > > so you might want to mention that overflow in question would have to > be > in multiplying an untrusted 16bit value by 8... > I indeed did not even look at that. When it was obvious to me that fearing an overflow is ridiculous, I actually adjusted the commit-message, see for example here: [1] I just didn't see it in ppp. Maybe I should have looked more intensively for all 13 patches. But we'll get there, that's what v2 and v3 are for :) P. [1] https://lore.kernel.org/all/20231102192402.53721-2-pstanner@redhat.com/ PS: Security != Safety
On Thu, Nov 02, 2023 at 11:02:35PM +0100, Philipp Stanner wrote: > We introduced those wrappers to string.h hoping they will be useful. > Now that they're merged, I quickly wanted to establish them as the > standard for copying user-arrays, ideally in the current merge window. > Because its convenient, easy to read and, at times, safer. They also save future readers a git grep to find the sizes, etc. Again, the only suggestion is that regarding the commit message; _some_ of those might end up fixing real overflows and you obviously want to see how far do those need to be backported, etc. And "in this case the overflow doesn't actually happen because <reasons>, but not having to do such analysis is a good thing" is not a bad explanation why the primitive in question is useful, IMO. Granted, in cases like 256 * sizeof(u32) that would be pointless, but for the ones that are less obvious... > I just didn't see it in ppp. Maybe I should have looked more > intensively for all 13 patches. But we'll get there, that's what v2 and > v3 are for :) In any case you want to check if there are real bugs caught in that.
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index a9beacd552cf..0193af2d31c9 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -570,8 +570,8 @@ static struct bpf_prog *get_filter(struct sock_fprog *uprog) /* uprog->len is unsigned short, so no overflow here */ fprog.len = uprog->len; - fprog.filter = memdup_user(uprog->filter, - uprog->len * sizeof(struct sock_filter)); + fprog.filter = memdup_array_user(uprog->filter, + uprog->len, sizeof(struct sock_filter)); if (IS_ERR(fprog.filter)) return ERR_CAST(fprog.filter);