On Tue, 28 Jul 2020 08:36:43 +0200 Christoph Hellwig wrote:
> Make sure not just the pointer itself but the whole range lies in
> the user address space. For that pass the length and then use
> the access_ok helper to do the check.
>
> Fixes: 6d04fe15f78a ("net: optimize the sockptr_t for unified kernel/user
> address spaces")
> Reported-by: David Laight <david.lai...@aculab.com>
> Signed-off-by: Christoph Hellwig <h...@lst.de>
> diff --git a/net/ipv4/bpfilter/sockopt.c b/net/ipv4/bpfilter/sockopt.c
> index 94f18d2352d007..8b132c52045973 100644
> --- a/net/ipv4/bpfilter/sockopt.c
> +++ b/net/ipv4/bpfilter/sockopt.c
> @@ -65,7 +65,7 @@ int bpfilter_ip_get_sockopt(struct sock *sk, int optname,
>
> if (get_user(len, optlen))
> return -EFAULT;
> - err = init_user_sockptr(&optval, user_optval);
> + err = init_user_sockptr(&optval, user_optval, *optlen);
> if (err)
> return err;
> return bpfilter_mbox_request(sk, optname, optval, len, false);
Appears to cause these two new warnings, sadly:
net/ipv4/bpfilter/sockopt.c:68:56: warning: dereference of noderef expression
net/ipv4/bpfilter/sockopt.c:68:56: warning: dereference of noderef expression
