[PATCH 9/9] udpv6: Check address length before reading address family

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 9/9] udpv6: Check address length before reading address family
@ 2019-04-12 10:56 Tetsuo Handa
  2019-04-12 16:07 ` Song Liu
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Tetsuo Handa @ 2019-04-12 10:56 UTC (permalink / raw)
  To: Alexei Starovoitov, Daniel Borkmann, Martin KaFai Lau, Song Liu,
	Yonghong Song
  Cc: David S. Miller, netdev, Tetsuo Handa

KMSAN will complain if valid address length passed to udpv6_pre_connect()
is shorter than sizeof("struct sockaddr"->sa_family) bytes.

(This patch is bogus if it is guaranteed that udpv6_pre_connect() is
always called after checking "struct sockaddr"->sa_family. In that case,
we want a comment why we don't need to check valid address length here.)

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 net/ipv6/udp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index d538fafaf4a9..2464fba569b4 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1045,6 +1045,8 @@ static void udp_v6_flush_pending_frames(struct sock *sk)
 static int udpv6_pre_connect(struct sock *sk, struct sockaddr *uaddr,
 			     int addr_len)
 {
+	if (addr_len < offsetofend(struct sockaddr, sa_family))
+		return -EINVAL;
 	/* The following checks are replicated from __ip6_datagram_connect()
 	 * and intended to prevent BPF program called below from accessing
 	 * bytes that are out of the bound specified by user in addr_len.
-- 
2.16.5


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 9/9] udpv6: Check address length before reading address family
  2019-04-12 10:56 [PATCH 9/9] udpv6: Check address length before reading address family Tetsuo Handa
@ 2019-04-12 16:07 ` Song Liu
  2019-04-12 16:49 ` Andrey Ignatov
  2019-04-12 17:26 ` David Miller
  2 siblings, 0 replies; 5+ messages in thread
From: Song Liu @ 2019-04-12 16:07 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: Alexei Starovoitov, Daniel Borkmann, Martin Lau, Yonghong Song,
	David S. Miller, netdev



> On Apr 12, 2019, at 3:56 AM, Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> wrote:
> 
> KMSAN will complain if valid address length passed to udpv6_pre_connect()
> is shorter than sizeof("struct sockaddr"->sa_family) bytes.
> 
> (This patch is bogus if it is guaranteed that udpv6_pre_connect() is
> always called after checking "struct sockaddr"->sa_family. In that case,
> we want a comment why we don't need to check valid address length here.)
> 
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

Looks good. 

Acked-by: Song Liu <songliubraving@fb.com>


> ---
> net/ipv6/udp.c | 2 ++
> 1 file changed, 2 insertions(+)
> 
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index d538fafaf4a9..2464fba569b4 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -1045,6 +1045,8 @@ static void udp_v6_flush_pending_frames(struct sock *sk)
> static int udpv6_pre_connect(struct sock *sk, struct sockaddr *uaddr,
> 			     int addr_len)
> {
> +	if (addr_len < offsetofend(struct sockaddr, sa_family))
> +		return -EINVAL;
> 	/* The following checks are replicated from __ip6_datagram_connect()
> 	 * and intended to prevent BPF program called below from accessing
> 	 * bytes that are out of the bound specified by user in addr_len.
> -- 
> 2.16.5
> 


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 9/9] udpv6: Check address length before reading address family
  2019-04-12 10:56 [PATCH 9/9] udpv6: Check address length before reading address family Tetsuo Handa
  2019-04-12 16:07 ` Song Liu
@ 2019-04-12 16:49 ` Andrey Ignatov
  2019-04-13  2:06   ` Tetsuo Handa
  2019-04-12 17:26 ` David Miller
  2 siblings, 1 reply; 5+ messages in thread
From: Andrey Ignatov @ 2019-04-12 16:49 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: Alexei Starovoitov, Daniel Borkmann, Martin Lau, Song Liu,
	Yonghong Song, David S. Miller, netdev

Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> [Fri, 2019-04-12 03:57 -0700]:
> KMSAN will complain if valid address length passed to udpv6_pre_connect()
> is shorter than sizeof("struct sockaddr"->sa_family) bytes.
> 
> (This patch is bogus if it is guaranteed that udpv6_pre_connect() is
> always called after checking "struct sockaddr"->sa_family. In that case,
> we want a comment why we don't need to check valid address length here.)
> 
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
>  net/ipv6/udp.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index d538fafaf4a9..2464fba569b4 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -1045,6 +1045,8 @@ static void udp_v6_flush_pending_frames(struct sock *sk)
>  static int udpv6_pre_connect(struct sock *sk, struct sockaddr *uaddr,
>  			     int addr_len)
>  {
> +	if (addr_len < offsetofend(struct sockaddr, sa_family))
> +		return -EINVAL;

Such a check wasn't added since it's already checked in
inet_dgram_connect, the only place where udpv6_pre_connect is called:

  int inet_dgram_connect(struct socket *sock, struct sockaddr *uaddr,
                         int addr_len, int flags)
  {
          struct sock *sk = sock->sk;
          int err;
  
          if (addr_len < sizeof(uaddr->sa_family))
                  return -EINVAL;
          if (uaddr->sa_family == AF_UNSPEC)
                  return sk->sk_prot->disconnect(sk, flags);
  
          if (BPF_CGROUP_PRE_CONNECT_ENABLED(sk)) {
                  err = sk->sk_prot->pre_connect(sk, uaddr, addr_len);
                  if (err)
                          return err;
          }

So it's already handled. But if it helps KMSAN, that's probably fine to
double-check it here. Or it's considered false positive?

>  	/* The following checks are replicated from __ip6_datagram_connect()
>  	 * and intended to prevent BPF program called below from accessing
>  	 * bytes that are out of the bound specified by user in addr_len.

-- 
Andrey Ignatov

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 9/9] udpv6: Check address length before reading address family
  2019-04-12 10:56 [PATCH 9/9] udpv6: Check address length before reading address family Tetsuo Handa
  2019-04-12 16:07 ` Song Liu
  2019-04-12 16:49 ` Andrey Ignatov
@ 2019-04-12 17:26 ` David Miller
  2 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2019-04-12 17:26 UTC (permalink / raw)
  To: penguin-kernel; +Cc: ast, daniel, kafai, songliubraving, yhs, netdev

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Fri, 12 Apr 2019 19:56:39 +0900

> KMSAN will complain if valid address length passed to udpv6_pre_connect()
> is shorter than sizeof("struct sockaddr"->sa_family) bytes.
> 
> (This patch is bogus if it is guaranteed that udpv6_pre_connect() is
> always called after checking "struct sockaddr"->sa_family. In that case,
> we want a comment why we don't need to check valid address length here.)
> 
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

Applied.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 9/9] udpv6: Check address length before reading address family
  2019-04-12 16:49 ` Andrey Ignatov
@ 2019-04-13  2:06   ` Tetsuo Handa
  0 siblings, 0 replies; 5+ messages in thread
From: Tetsuo Handa @ 2019-04-13  2:06 UTC (permalink / raw)
  To: Andrey Ignatov
  Cc: Alexei Starovoitov, Daniel Borkmann, Martin Lau, Song Liu,
	Yonghong Song, David S. Miller, netdev

On 2019/04/13 1:49, Andrey Ignatov wrote:
> Such a check wasn't added since it's already checked in
> inet_dgram_connect, the only place where udpv6_pre_connect is called:
> 
>   int inet_dgram_connect(struct socket *sock, struct sockaddr *uaddr,
>                          int addr_len, int flags)
>   {
>           struct sock *sk = sock->sk;
>           int err;
>   
>           if (addr_len < sizeof(uaddr->sa_family))
>                   return -EINVAL;
>           if (uaddr->sa_family == AF_UNSPEC)
>                   return sk->sk_prot->disconnect(sk, flags);
>   
>           if (BPF_CGROUP_PRE_CONNECT_ENABLED(sk)) {
>                   err = sk->sk_prot->pre_connect(sk, uaddr, addr_len);
>                   if (err)
>                           return err;
>           }
> 
> So it's already handled. But if it helps KMSAN, that's probably fine to
> double-check it here. Or it's considered false positive?

OK, then KMSAN will not complain and this patch can be dropped.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2019-04-13  2:06 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-12 10:56 [PATCH 9/9] udpv6: Check address length before reading address family Tetsuo Handa
2019-04-12 16:07 ` Song Liu
2019-04-12 16:49 ` Andrey Ignatov
2019-04-13  2:06   ` Tetsuo Handa
2019-04-12 17:26 ` David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.