From: Jakub Kicinski
> Sent: 28 July 2020 16:48
> On Tue, 28 Jul 2020 08:36:43 +0200 Christoph Hellwig wrote:
> > Make sure not just the pointer itself but the whole range lies in
> > the user address space. For that pass the length and then use
> > the access_ok helper to do the check.
> >
> > Fixes: 6d04fe15f78a ("net: optimize the sockptr_t for unified kernel/user
> > address spaces")
> > Reported-by: David Laight <david.lai...@aculab.com>
> > Signed-off-by: Christoph Hellwig <h...@lst.de>
>
> > diff --git a/net/ipv4/bpfilter/sockopt.c b/net/ipv4/bpfilter/sockopt.c
> > index 94f18d2352d007..8b132c52045973 100644
> > --- a/net/ipv4/bpfilter/sockopt.c
> > +++ b/net/ipv4/bpfilter/sockopt.c
> > @@ -65,7 +65,7 @@ int bpfilter_ip_get_sockopt(struct sock *sk, int optname,
> >
> > if (get_user(len, optlen))
> > return -EFAULT;
> > - err = init_user_sockptr(&optval, user_optval);
> > + err = init_user_sockptr(&optval, user_optval, *optlen);
> > if (err)
> > return err;
> > return bpfilter_mbox_request(sk, optname, optval, len, false);
>
> Appears to cause these two new warnings, sadly:
>
> net/ipv4/bpfilter/sockopt.c:68:56: warning: dereference of noderef expression
> net/ipv4/bpfilter/sockopt.c:68:56: warning: dereference of noderef expression
Not surprising - 'optlen' is a user pointer.
It should be passing 'len'.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT,
UK
Registration No: 1397386 (Wales)
