All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
@ 2021-02-12  2:28 kernel test robot
  0 siblings, 0 replies; 14+ messages in thread
From: kernel test robot @ 2021-02-12  2:28 UTC (permalink / raw)
  To: kbuild

[-- Attachment #1: Type: text/plain, Size: 27881 bytes --]

CC: kbuild-all(a)lists.01.org
In-Reply-To: <20210211212107.662291-1-arjunroy.kdev@gmail.com>
References: <20210211212107.662291-1-arjunroy.kdev@gmail.com>
TO: Arjun Roy <arjunroy.kdev@gmail.com>
TO: davem(a)davemloft.net
TO: netdev(a)vger.kernel.org
CC: arjunroy(a)google.com
CC: edumazet(a)google.com
CC: soheil(a)google.com
CC: David Ahern <dsahern@gmail.com>
CC: Leon Romanovsky <leon@kernel.org>
CC: Jakub Kicinski <kuba@kernel.org>

Hi Arjun,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on net-next/master]

url:    https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
:::::: branch date: 5 hours ago
:::::: commit date: 5 hours ago
config: x86_64-randconfig-m001-20210209 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

smatch warnings:
net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'

vim +/len +4158 net/ipv4/tcp.c

1c885808e45601 Francis Yan              2016-11-27  3895  
3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3896  static int do_tcp_getsockopt(struct sock *sk, int level,
3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3897  		int optname, char __user *optval, int __user *optlen)
^1da177e4c3f41 Linus Torvalds           2005-04-16  3898  {
295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09  3899  	struct inet_connection_sock *icsk = inet_csk(sk);
^1da177e4c3f41 Linus Torvalds           2005-04-16  3900  	struct tcp_sock *tp = tcp_sk(sk);
6fa251663069e0 Nikolay Borisov          2016-02-03  3901  	struct net *net = sock_net(sk);
^1da177e4c3f41 Linus Torvalds           2005-04-16  3902  	int val, len;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3903  
^1da177e4c3f41 Linus Torvalds           2005-04-16  3904  	if (get_user(len, optlen))
^1da177e4c3f41 Linus Torvalds           2005-04-16  3905  		return -EFAULT;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3906  
^1da177e4c3f41 Linus Torvalds           2005-04-16  3907  	len = min_t(unsigned int, len, sizeof(int));
^1da177e4c3f41 Linus Torvalds           2005-04-16  3908  
^1da177e4c3f41 Linus Torvalds           2005-04-16  3909  	if (len < 0)
^1da177e4c3f41 Linus Torvalds           2005-04-16  3910  		return -EINVAL;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3911  
^1da177e4c3f41 Linus Torvalds           2005-04-16  3912  	switch (optname) {
^1da177e4c3f41 Linus Torvalds           2005-04-16  3913  	case TCP_MAXSEG:
c1b4a7e69576d6 David S. Miller          2005-07-05  3914  		val = tp->mss_cache;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3915  		if (!val && ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)))
^1da177e4c3f41 Linus Torvalds           2005-04-16  3916  			val = tp->rx_opt.user_mss;
5e6a3ce6573f0c Pavel Emelyanov          2012-04-19  3917  		if (tp->repair)
5e6a3ce6573f0c Pavel Emelyanov          2012-04-19  3918  			val = tp->rx_opt.mss_clamp;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3919  		break;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3920  	case TCP_NODELAY:
^1da177e4c3f41 Linus Torvalds           2005-04-16  3921  		val = !!(tp->nonagle&TCP_NAGLE_OFF);
^1da177e4c3f41 Linus Torvalds           2005-04-16  3922  		break;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3923  	case TCP_CORK:
^1da177e4c3f41 Linus Torvalds           2005-04-16  3924  		val = !!(tp->nonagle&TCP_NAGLE_CORK);
^1da177e4c3f41 Linus Torvalds           2005-04-16  3925  		break;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3926  	case TCP_KEEPIDLE:
df19a626770545 Eric Dumazet             2009-08-28  3927  		val = keepalive_time_when(tp) / HZ;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3928  		break;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3929  	case TCP_KEEPINTVL:
df19a626770545 Eric Dumazet             2009-08-28  3930  		val = keepalive_intvl_when(tp) / HZ;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3931  		break;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3932  	case TCP_KEEPCNT:
df19a626770545 Eric Dumazet             2009-08-28  3933  		val = keepalive_probes(tp);
^1da177e4c3f41 Linus Torvalds           2005-04-16  3934  		break;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3935  	case TCP_SYNCNT:
6fa251663069e0 Nikolay Borisov          2016-02-03  3936  		val = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3937  		break;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3938  	case TCP_LINGER2:
^1da177e4c3f41 Linus Torvalds           2005-04-16  3939  		val = tp->linger2;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3940  		if (val >= 0)
1e579caa18b96f Nikolay Borisov          2016-02-03  3941  			val = (val ? : net->ipv4.sysctl_tcp_fin_timeout) / HZ;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3942  		break;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3943  	case TCP_DEFER_ACCEPT:
b103cf34382f26 Julian Anastasov         2009-10-19  3944  		val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept,
b103cf34382f26 Julian Anastasov         2009-10-19  3945  				      TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ);
^1da177e4c3f41 Linus Torvalds           2005-04-16  3946  		break;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3947  	case TCP_WINDOW_CLAMP:
^1da177e4c3f41 Linus Torvalds           2005-04-16  3948  		val = tp->window_clamp;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3949  		break;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3950  	case TCP_INFO: {
^1da177e4c3f41 Linus Torvalds           2005-04-16  3951  		struct tcp_info info;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3952  
^1da177e4c3f41 Linus Torvalds           2005-04-16  3953  		if (get_user(len, optlen))
^1da177e4c3f41 Linus Torvalds           2005-04-16  3954  			return -EFAULT;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3955  
^1da177e4c3f41 Linus Torvalds           2005-04-16  3956  		tcp_get_info(sk, &info);
^1da177e4c3f41 Linus Torvalds           2005-04-16  3957  
^1da177e4c3f41 Linus Torvalds           2005-04-16  3958  		len = min_t(unsigned int, len, sizeof(info));
^1da177e4c3f41 Linus Torvalds           2005-04-16  3959  		if (put_user(len, optlen))
^1da177e4c3f41 Linus Torvalds           2005-04-16  3960  			return -EFAULT;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3961  		if (copy_to_user(optval, &info, len))
^1da177e4c3f41 Linus Torvalds           2005-04-16  3962  			return -EFAULT;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3963  		return 0;
^1da177e4c3f41 Linus Torvalds           2005-04-16  3964  	}
6e9250f59ef9ef Eric Dumazet             2015-04-28  3965  	case TCP_CC_INFO: {
6e9250f59ef9ef Eric Dumazet             2015-04-28  3966  		const struct tcp_congestion_ops *ca_ops;
6e9250f59ef9ef Eric Dumazet             2015-04-28  3967  		union tcp_cc_info info;
6e9250f59ef9ef Eric Dumazet             2015-04-28  3968  		size_t sz = 0;
6e9250f59ef9ef Eric Dumazet             2015-04-28  3969  		int attr;
6e9250f59ef9ef Eric Dumazet             2015-04-28  3970  
6e9250f59ef9ef Eric Dumazet             2015-04-28  3971  		if (get_user(len, optlen))
6e9250f59ef9ef Eric Dumazet             2015-04-28  3972  			return -EFAULT;
6e9250f59ef9ef Eric Dumazet             2015-04-28  3973  
6e9250f59ef9ef Eric Dumazet             2015-04-28  3974  		ca_ops = icsk->icsk_ca_ops;
6e9250f59ef9ef Eric Dumazet             2015-04-28  3975  		if (ca_ops && ca_ops->get_info)
6e9250f59ef9ef Eric Dumazet             2015-04-28  3976  			sz = ca_ops->get_info(sk, ~0U, &attr, &info);
6e9250f59ef9ef Eric Dumazet             2015-04-28  3977  
6e9250f59ef9ef Eric Dumazet             2015-04-28  3978  		len = min_t(unsigned int, len, sz);
6e9250f59ef9ef Eric Dumazet             2015-04-28  3979  		if (put_user(len, optlen))
6e9250f59ef9ef Eric Dumazet             2015-04-28  3980  			return -EFAULT;
6e9250f59ef9ef Eric Dumazet             2015-04-28  3981  		if (copy_to_user(optval, &info, len))
6e9250f59ef9ef Eric Dumazet             2015-04-28  3982  			return -EFAULT;
6e9250f59ef9ef Eric Dumazet             2015-04-28  3983  		return 0;
6e9250f59ef9ef Eric Dumazet             2015-04-28  3984  	}
^1da177e4c3f41 Linus Torvalds           2005-04-16  3985  	case TCP_QUICKACK:
31954cd8bb6670 Wei Wang                 2019-01-25  3986  		val = !inet_csk_in_pingpong_mode(sk);
^1da177e4c3f41 Linus Torvalds           2005-04-16  3987  		break;
5f8ef48d240963 Stephen Hemminger        2005-06-23  3988  
5f8ef48d240963 Stephen Hemminger        2005-06-23  3989  	case TCP_CONGESTION:
5f8ef48d240963 Stephen Hemminger        2005-06-23  3990  		if (get_user(len, optlen))
5f8ef48d240963 Stephen Hemminger        2005-06-23  3991  			return -EFAULT;
5f8ef48d240963 Stephen Hemminger        2005-06-23  3992  		len = min_t(unsigned int, len, TCP_CA_NAME_MAX);
5f8ef48d240963 Stephen Hemminger        2005-06-23  3993  		if (put_user(len, optlen))
5f8ef48d240963 Stephen Hemminger        2005-06-23  3994  			return -EFAULT;
6687e988d9aeac Arnaldo Carvalho de Melo 2005-08-10  3995  		if (copy_to_user(optval, icsk->icsk_ca_ops->name, len))
5f8ef48d240963 Stephen Hemminger        2005-06-23  3996  			return -EFAULT;
5f8ef48d240963 Stephen Hemminger        2005-06-23  3997  		return 0;
e56fb50f2b7958 William Allen Simpson    2009-12-02  3998  
734942cc4ea647 Dave Watson              2017-06-14  3999  	case TCP_ULP:
734942cc4ea647 Dave Watson              2017-06-14  4000  		if (get_user(len, optlen))
734942cc4ea647 Dave Watson              2017-06-14  4001  			return -EFAULT;
734942cc4ea647 Dave Watson              2017-06-14  4002  		len = min_t(unsigned int, len, TCP_ULP_NAME_MAX);
d97af30f615eea Dave Watson              2017-06-26  4003  		if (!icsk->icsk_ulp_ops) {
d97af30f615eea Dave Watson              2017-06-26  4004  			if (put_user(0, optlen))
d97af30f615eea Dave Watson              2017-06-26  4005  				return -EFAULT;
d97af30f615eea Dave Watson              2017-06-26  4006  			return 0;
d97af30f615eea Dave Watson              2017-06-26  4007  		}
734942cc4ea647 Dave Watson              2017-06-14  4008  		if (put_user(len, optlen))
734942cc4ea647 Dave Watson              2017-06-14  4009  			return -EFAULT;
734942cc4ea647 Dave Watson              2017-06-14  4010  		if (copy_to_user(optval, icsk->icsk_ulp_ops->name, len))
734942cc4ea647 Dave Watson              2017-06-14  4011  			return -EFAULT;
734942cc4ea647 Dave Watson              2017-06-14  4012  		return 0;
734942cc4ea647 Dave Watson              2017-06-14  4013  
1fba70e5b6bed5 Yuchung Cheng            2017-10-18  4014  	case TCP_FASTOPEN_KEY: {
f19008e676366c Jason Baron              2020-08-10  4015  		u64 key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(u64)];
f19008e676366c Jason Baron              2020-08-10  4016  		unsigned int key_len;
1fba70e5b6bed5 Yuchung Cheng            2017-10-18  4017  
1fba70e5b6bed5 Yuchung Cheng            2017-10-18  4018  		if (get_user(len, optlen))
1fba70e5b6bed5 Yuchung Cheng            2017-10-18  4019  			return -EFAULT;
1fba70e5b6bed5 Yuchung Cheng            2017-10-18  4020  
f19008e676366c Jason Baron              2020-08-10  4021  		key_len = tcp_fastopen_get_cipher(net, icsk, key) *
0f1ce0236865e8 Jason Baron              2019-05-29  4022  				TCP_FASTOPEN_KEY_LENGTH;
0f1ce0236865e8 Jason Baron              2019-05-29  4023  		len = min_t(unsigned int, len, key_len);
1fba70e5b6bed5 Yuchung Cheng            2017-10-18  4024  		if (put_user(len, optlen))
1fba70e5b6bed5 Yuchung Cheng            2017-10-18  4025  			return -EFAULT;
1fba70e5b6bed5 Yuchung Cheng            2017-10-18  4026  		if (copy_to_user(optval, key, len))
1fba70e5b6bed5 Yuchung Cheng            2017-10-18  4027  			return -EFAULT;
1fba70e5b6bed5 Yuchung Cheng            2017-10-18  4028  		return 0;
1fba70e5b6bed5 Yuchung Cheng            2017-10-18  4029  	}
3c0fef0b7d36e5 Josh Hunt                2010-07-30  4030  	case TCP_THIN_LINEAR_TIMEOUTS:
3c0fef0b7d36e5 Josh Hunt                2010-07-30  4031  		val = tp->thin_lto;
3c0fef0b7d36e5 Josh Hunt                2010-07-30  4032  		break;
4a7f6009441144 Yuchung Cheng            2017-01-12  4033  
3c0fef0b7d36e5 Josh Hunt                2010-07-30  4034  	case TCP_THIN_DUPACK:
4a7f6009441144 Yuchung Cheng            2017-01-12  4035  		val = 0;
3c0fef0b7d36e5 Josh Hunt                2010-07-30  4036  		break;
dca43c75e7e545 Jerry Chu                2010-08-27  4037  
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4038  	case TCP_REPAIR:
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4039  		val = tp->repair;
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4040  		break;
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4041  
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4042  	case TCP_REPAIR_QUEUE:
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4043  		if (tp->repair)
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4044  			val = tp->repair_queue;
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4045  		else
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4046  			return -EINVAL;
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4047  		break;
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4048  
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4049  	case TCP_REPAIR_WINDOW: {
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4050  		struct tcp_repair_window opt;
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4051  
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4052  		if (get_user(len, optlen))
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4053  			return -EFAULT;
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4054  
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4055  		if (len != sizeof(opt))
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4056  			return -EINVAL;
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4057  
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4058  		if (!tp->repair)
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4059  			return -EPERM;
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4060  
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4061  		opt.snd_wl1	= tp->snd_wl1;
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4062  		opt.snd_wnd	= tp->snd_wnd;
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4063  		opt.max_window	= tp->max_window;
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4064  		opt.rcv_wnd	= tp->rcv_wnd;
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4065  		opt.rcv_wup	= tp->rcv_wup;
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4066  
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4067  		if (copy_to_user(optval, &opt, len))
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4068  			return -EFAULT;
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4069  		return 0;
b1ed4c4fa9a5cc Andrey Vagin             2016-06-27  4070  	}
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4071  	case TCP_QUEUE_SEQ:
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4072  		if (tp->repair_queue == TCP_SEND_QUEUE)
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4073  			val = tp->write_seq;
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4074  		else if (tp->repair_queue == TCP_RECV_QUEUE)
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4075  			val = tp->rcv_nxt;
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4076  		else
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4077  			return -EINVAL;
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4078  		break;
ee9952831cfd0b Pavel Emelyanov          2012-04-19  4079  
dca43c75e7e545 Jerry Chu                2010-08-27  4080  	case TCP_USER_TIMEOUT:
9bcc66e1983d10 Jon Maxwell              2018-07-19  4081  		val = icsk->icsk_user_timeout;
dca43c75e7e545 Jerry Chu                2010-08-27  4082  		break;
1536e2857bd38e Kenjiro Nakayama         2014-04-17  4083  
1536e2857bd38e Kenjiro Nakayama         2014-04-17  4084  	case TCP_FASTOPEN:
0536fcc039a892 Eric Dumazet             2015-09-29  4085  		val = icsk->icsk_accept_queue.fastopenq.max_qlen;
1536e2857bd38e Kenjiro Nakayama         2014-04-17  4086  		break;
1536e2857bd38e Kenjiro Nakayama         2014-04-17  4087  
19f6d3f3c8422d Wei Wang                 2017-01-23  4088  	case TCP_FASTOPEN_CONNECT:
19f6d3f3c8422d Wei Wang                 2017-01-23  4089  		val = tp->fastopen_connect;
19f6d3f3c8422d Wei Wang                 2017-01-23  4090  		break;
19f6d3f3c8422d Wei Wang                 2017-01-23  4091  
71c02379c762cb Christoph Paasch         2017-10-23  4092  	case TCP_FASTOPEN_NO_COOKIE:
71c02379c762cb Christoph Paasch         2017-10-23  4093  		val = tp->fastopen_no_cookie;
71c02379c762cb Christoph Paasch         2017-10-23  4094  		break;
71c02379c762cb Christoph Paasch         2017-10-23  4095  
a842fe1425cb20 Eric Dumazet             2019-06-12  4096  	case TCP_TX_DELAY:
a842fe1425cb20 Eric Dumazet             2019-06-12  4097  		val = tp->tcp_tx_delay;
a842fe1425cb20 Eric Dumazet             2019-06-12  4098  		break;
a842fe1425cb20 Eric Dumazet             2019-06-12  4099  
93be6ce0e91b6a Andrey Vagin             2013-02-11  4100  	case TCP_TIMESTAMP:
9a568de4818dea Eric Dumazet             2017-05-16  4101  		val = tcp_time_stamp_raw() + tp->tsoffset;
93be6ce0e91b6a Andrey Vagin             2013-02-11  4102  		break;
c9bee3b7fdecb0 Eric Dumazet             2013-07-22  4103  	case TCP_NOTSENT_LOWAT:
c9bee3b7fdecb0 Eric Dumazet             2013-07-22  4104  		val = tp->notsent_lowat;
c9bee3b7fdecb0 Eric Dumazet             2013-07-22  4105  		break;
b75eba76d3d72e Soheil Hassas Yeganeh    2018-05-01  4106  	case TCP_INQ:
b75eba76d3d72e Soheil Hassas Yeganeh    2018-05-01  4107  		val = tp->recvmsg_inq;
b75eba76d3d72e Soheil Hassas Yeganeh    2018-05-01  4108  		break;
cd8ae85299d541 Eric Dumazet             2015-05-03  4109  	case TCP_SAVE_SYN:
cd8ae85299d541 Eric Dumazet             2015-05-03  4110  		val = tp->save_syn;
cd8ae85299d541 Eric Dumazet             2015-05-03  4111  		break;
cd8ae85299d541 Eric Dumazet             2015-05-03  4112  	case TCP_SAVED_SYN: {
cd8ae85299d541 Eric Dumazet             2015-05-03  4113  		if (get_user(len, optlen))
cd8ae85299d541 Eric Dumazet             2015-05-03  4114  			return -EFAULT;
cd8ae85299d541 Eric Dumazet             2015-05-03  4115  
cd8ae85299d541 Eric Dumazet             2015-05-03  4116  		lock_sock(sk);
cd8ae85299d541 Eric Dumazet             2015-05-03  4117  		if (tp->saved_syn) {
70a217f1976f75 Martin KaFai Lau         2020-08-20  4118  			if (len < tcp_saved_syn_len(tp->saved_syn)) {
70a217f1976f75 Martin KaFai Lau         2020-08-20  4119  				if (put_user(tcp_saved_syn_len(tp->saved_syn),
70a217f1976f75 Martin KaFai Lau         2020-08-20  4120  					     optlen)) {
aea0929e516a1f Eric B Munson            2015-05-18  4121  					release_sock(sk);
aea0929e516a1f Eric B Munson            2015-05-18  4122  					return -EFAULT;
aea0929e516a1f Eric B Munson            2015-05-18  4123  				}
aea0929e516a1f Eric B Munson            2015-05-18  4124  				release_sock(sk);
aea0929e516a1f Eric B Munson            2015-05-18  4125  				return -EINVAL;
aea0929e516a1f Eric B Munson            2015-05-18  4126  			}
70a217f1976f75 Martin KaFai Lau         2020-08-20  4127  			len = tcp_saved_syn_len(tp->saved_syn);
cd8ae85299d541 Eric Dumazet             2015-05-03  4128  			if (put_user(len, optlen)) {
cd8ae85299d541 Eric Dumazet             2015-05-03  4129  				release_sock(sk);
cd8ae85299d541 Eric Dumazet             2015-05-03  4130  				return -EFAULT;
cd8ae85299d541 Eric Dumazet             2015-05-03  4131  			}
70a217f1976f75 Martin KaFai Lau         2020-08-20  4132  			if (copy_to_user(optval, tp->saved_syn->data, len)) {
cd8ae85299d541 Eric Dumazet             2015-05-03  4133  				release_sock(sk);
cd8ae85299d541 Eric Dumazet             2015-05-03  4134  				return -EFAULT;
cd8ae85299d541 Eric Dumazet             2015-05-03  4135  			}
cd8ae85299d541 Eric Dumazet             2015-05-03  4136  			tcp_saved_syn_free(tp);
cd8ae85299d541 Eric Dumazet             2015-05-03  4137  			release_sock(sk);
cd8ae85299d541 Eric Dumazet             2015-05-03  4138  		} else {
cd8ae85299d541 Eric Dumazet             2015-05-03  4139  			release_sock(sk);
cd8ae85299d541 Eric Dumazet             2015-05-03  4140  			len = 0;
cd8ae85299d541 Eric Dumazet             2015-05-03  4141  			if (put_user(len, optlen))
cd8ae85299d541 Eric Dumazet             2015-05-03  4142  				return -EFAULT;
cd8ae85299d541 Eric Dumazet             2015-05-03  4143  		}
cd8ae85299d541 Eric Dumazet             2015-05-03  4144  		return 0;
cd8ae85299d541 Eric Dumazet             2015-05-03  4145  	}
05255b823a6173 Eric Dumazet             2018-04-27  4146  #ifdef CONFIG_MMU
05255b823a6173 Eric Dumazet             2018-04-27  4147  	case TCP_ZEROCOPY_RECEIVE: {
7eeba1706eba6d Arjun Roy                2021-01-20  4148  		struct scm_timestamping_internal tss;
e0fecb289ad3fd Arjun Roy                2020-12-10  4149  		struct tcp_zerocopy_receive zc = {};
05255b823a6173 Eric Dumazet             2018-04-27  4150  		int err;
05255b823a6173 Eric Dumazet             2018-04-27  4151  
05255b823a6173 Eric Dumazet             2018-04-27  4152  		if (get_user(len, optlen))
05255b823a6173 Eric Dumazet             2018-04-27  4153  			return -EFAULT;
c8856c05145490 Arjun Roy                2020-02-14  4154  		if (len < offsetofend(struct tcp_zerocopy_receive, length))
05255b823a6173 Eric Dumazet             2018-04-27  4155  			return -EINVAL;
110912bdf28392 Arjun Roy                2021-02-11  4156  		if (unlikely(len > sizeof(zc))) {
110912bdf28392 Arjun Roy                2021-02-11  4157  			err = check_zeroed_user(optval + sizeof(zc),
110912bdf28392 Arjun Roy                2021-02-11 @4158  						len - sizeof(zc));
110912bdf28392 Arjun Roy                2021-02-11  4159  			if (err < 1)
110912bdf28392 Arjun Roy                2021-02-11  4160  				return err == 0 ? -EINVAL : err;
c8856c05145490 Arjun Roy                2020-02-14  4161  			len = sizeof(zc);
0b7f41f68710cc Arjun Roy                2020-02-25  4162  			if (put_user(len, optlen))
0b7f41f68710cc Arjun Roy                2020-02-25  4163  				return -EFAULT;
0b7f41f68710cc Arjun Roy                2020-02-25  4164  		}
05255b823a6173 Eric Dumazet             2018-04-27  4165  		if (copy_from_user(&zc, optval, len))
05255b823a6173 Eric Dumazet             2018-04-27  4166  			return -EFAULT;
110912bdf28392 Arjun Roy                2021-02-11  4167  		if (zc.reserved)
110912bdf28392 Arjun Roy                2021-02-11  4168  			return -EINVAL;
110912bdf28392 Arjun Roy                2021-02-11  4169  		if (zc.msg_flags &  ~(TCP_VALID_ZC_MSG_FLAGS))
110912bdf28392 Arjun Roy                2021-02-11  4170  			return -EINVAL;
05255b823a6173 Eric Dumazet             2018-04-27  4171  		lock_sock(sk);
7eeba1706eba6d Arjun Roy                2021-01-20  4172  		err = tcp_zerocopy_receive(sk, &zc, &tss);
05255b823a6173 Eric Dumazet             2018-04-27  4173  		release_sock(sk);
7eeba1706eba6d Arjun Roy                2021-01-20  4174  		if (len >= offsetofend(struct tcp_zerocopy_receive, msg_flags))
7eeba1706eba6d Arjun Roy                2021-01-20  4175  			goto zerocopy_rcv_cmsg;
c8856c05145490 Arjun Roy                2020-02-14  4176  		switch (len) {
7eeba1706eba6d Arjun Roy                2021-01-20  4177  		case offsetofend(struct tcp_zerocopy_receive, msg_flags):
7eeba1706eba6d Arjun Roy                2021-01-20  4178  			goto zerocopy_rcv_cmsg;
7eeba1706eba6d Arjun Roy                2021-01-20  4179  		case offsetofend(struct tcp_zerocopy_receive, msg_controllen):
7eeba1706eba6d Arjun Roy                2021-01-20  4180  		case offsetofend(struct tcp_zerocopy_receive, msg_control):
7eeba1706eba6d Arjun Roy                2021-01-20  4181  		case offsetofend(struct tcp_zerocopy_receive, flags):
7eeba1706eba6d Arjun Roy                2021-01-20  4182  		case offsetofend(struct tcp_zerocopy_receive, copybuf_len):
7eeba1706eba6d Arjun Roy                2021-01-20  4183  		case offsetofend(struct tcp_zerocopy_receive, copybuf_address):
33946518d493cd Arjun Roy                2020-02-14  4184  		case offsetofend(struct tcp_zerocopy_receive, err):
33946518d493cd Arjun Roy                2020-02-14  4185  			goto zerocopy_rcv_sk_err;
c8856c05145490 Arjun Roy                2020-02-14  4186  		case offsetofend(struct tcp_zerocopy_receive, inq):
c8856c05145490 Arjun Roy                2020-02-14  4187  			goto zerocopy_rcv_inq;
c8856c05145490 Arjun Roy                2020-02-14  4188  		case offsetofend(struct tcp_zerocopy_receive, length):
c8856c05145490 Arjun Roy                2020-02-14  4189  		default:
c8856c05145490 Arjun Roy                2020-02-14  4190  			goto zerocopy_rcv_out;
c8856c05145490 Arjun Roy                2020-02-14  4191  		}
7eeba1706eba6d Arjun Roy                2021-01-20  4192  zerocopy_rcv_cmsg:
7eeba1706eba6d Arjun Roy                2021-01-20  4193  		if (zc.msg_flags & TCP_CMSG_TS)
7eeba1706eba6d Arjun Roy                2021-01-20  4194  			tcp_zc_finalize_rx_tstamp(sk, &zc, &tss);
7eeba1706eba6d Arjun Roy                2021-01-20  4195  		else
7eeba1706eba6d Arjun Roy                2021-01-20  4196  			zc.msg_flags = 0;
33946518d493cd Arjun Roy                2020-02-14  4197  zerocopy_rcv_sk_err:
33946518d493cd Arjun Roy                2020-02-14  4198  		if (!err)
33946518d493cd Arjun Roy                2020-02-14  4199  			zc.err = sock_error(sk);
c8856c05145490 Arjun Roy                2020-02-14  4200  zerocopy_rcv_inq:
c8856c05145490 Arjun Roy                2020-02-14  4201  		zc.inq = tcp_inq_hint(sk);
c8856c05145490 Arjun Roy                2020-02-14  4202  zerocopy_rcv_out:
05255b823a6173 Eric Dumazet             2018-04-27  4203  		if (!err && copy_to_user(optval, &zc, len))
05255b823a6173 Eric Dumazet             2018-04-27  4204  			err = -EFAULT;
05255b823a6173 Eric Dumazet             2018-04-27  4205  		return err;
05255b823a6173 Eric Dumazet             2018-04-27  4206  	}
05255b823a6173 Eric Dumazet             2018-04-27  4207  #endif
^1da177e4c3f41 Linus Torvalds           2005-04-16  4208  	default:
^1da177e4c3f41 Linus Torvalds           2005-04-16  4209  		return -ENOPROTOOPT;
3ff50b7997fe06 Stephen Hemminger        2007-04-20  4210  	}
^1da177e4c3f41 Linus Torvalds           2005-04-16  4211  
^1da177e4c3f41 Linus Torvalds           2005-04-16  4212  	if (put_user(len, optlen))
^1da177e4c3f41 Linus Torvalds           2005-04-16  4213  		return -EFAULT;
^1da177e4c3f41 Linus Torvalds           2005-04-16  4214  	if (copy_to_user(optval, &val, len))
^1da177e4c3f41 Linus Torvalds           2005-04-16  4215  		return -EFAULT;
^1da177e4c3f41 Linus Torvalds           2005-04-16  4216  	return 0;
^1da177e4c3f41 Linus Torvalds           2005-04-16  4217  }
^1da177e4c3f41 Linus Torvalds           2005-04-16  4218  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 29600 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
  2021-02-15 16:02       ` Dan Carpenter
@ 2021-02-25 23:00         ` Arjun Roy
  -1 siblings, 0 replies; 14+ messages in thread
From: Arjun Roy @ 2021-02-25 23:00 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: David Ahern, kbuild, Arjun Roy, David Miller, netdev, lkp,
	kbuild-all, Eric Dumazet, Soheil Hassas Yeganeh, Leon Romanovsky,
	Jakub Kicinski

On Mon, Feb 15, 2021 at 8:02 AM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> On Mon, Feb 15, 2021 at 08:04:11AM -0700, David Ahern wrote:
> > On 2/15/21 5:03 AM, Dan Carpenter wrote:
> > > Hi Arjun,
> > >
> > > url:    https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
> > > base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git  e4b62cf7559f2ef9a022de235e5a09a8d7ded520
> > > config: x86_64-randconfig-m001-20210209 (attached as .config)
> > > compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> > >
> > > If you fix the issue, kindly add following tag as appropriate
> > > Reported-by: kernel test robot <lkp@intel.com>
> > > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> > >
> > > smatch warnings:
> > > net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
> > >
> > > vim +/len +4158 net/ipv4/tcp.c
> > >
> > > 3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3896  static int do_tcp_getsockopt(struct sock *sk, int level,
> > > 3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3897            int optname, char __user *optval, int __user *optlen)
> > > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3898  {
> > > 295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09  3899    struct inet_connection_sock *icsk = inet_csk(sk);
> > > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3900    struct tcp_sock *tp = tcp_sk(sk);
> > > 6fa251663069e0 Nikolay Borisov          2016-02-03  3901    struct net *net = sock_net(sk);
> > > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3902    int val, len;
> > >
> > > "len" is int.
> > >
> > > [ snip ]
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4146  #ifdef CONFIG_MMU
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4147    case TCP_ZEROCOPY_RECEIVE: {
> > > 7eeba1706eba6d Arjun Roy                2021-01-20  4148            struct scm_timestamping_internal tss;
> > > e0fecb289ad3fd Arjun Roy                2020-12-10  4149            struct tcp_zerocopy_receive zc = {};
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4150            int err;
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4151
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4152            if (get_user(len, optlen))
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4153                    return -EFAULT;
> > > c8856c05145490 Arjun Roy                2020-02-14  4154            if (len < offsetofend(struct tcp_zerocopy_receive, length))
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4155                    return -EINVAL;
> > >
> > >
> > > The problem is that negative values of "len" are type promoted to high
> > > positive values.  So the fix is to write this as:
> > >
> > >     if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
> > >             return -EINVAL;
> > >
> > > 110912bdf28392 Arjun Roy                2021-02-11  4156            if (unlikely(len > sizeof(zc))) {
> > > 110912bdf28392 Arjun Roy                2021-02-11  4157                    err = check_zeroed_user(optval + sizeof(zc),
> > > 110912bdf28392 Arjun Roy                2021-02-11 @4158                                            len - sizeof(zc));
> > >                                                                                                         ^^^^^^^^^^^^^^^^
> > > Potentially "len - a negative value".
> > >
> > >
> >
> > get_user(len, optlen) is called multiple times in that function. len < 0
> > was checked after the first one at the top.
> >
>
> What you're describing is a "Double Fetch" bug, where the attack is we
> get some data from the user, and we verify it, then we get it from the
> user a second time and trust it.  The problem is that the user modifies
> it between the first and second get_user() call so it ends up being a
> security vulnerability.
>
> But I'm glad you pointed out the first get_user() because it has an
> ancient, harmless pre git bug in it.
>
> net/ipv4/tcp.c
>   3888  static int do_tcp_getsockopt(struct sock *sk, int level,
>   3889                  int optname, char __user *optval, int __user *optlen)
>   3890  {
>   3891          struct inet_connection_sock *icsk = inet_csk(sk);
>   3892          struct tcp_sock *tp = tcp_sk(sk);
>   3893          struct net *net = sock_net(sk);
>   3894          int val, len;
>   3895
>   3896          if (get_user(len, optlen))
>   3897                  return -EFAULT;
>   3898
>   3899          len = min_t(unsigned int, len, sizeof(int));
>   3900
>   3901          if (len < 0)
>                     ^^^^^^^
> This is impossible.  "len" has to be in the 0-4 range because of the
> min_t() assignment.  It's harmless though and the condition should just
> be removed.
>
>   3902                  return -EINVAL;
>   3903
>   3904          switch (optname) {
>   3905          case TCP_MAXSEG:
>
> Anyway, I will create a new Smatch warning for this situation.
>
> > Also, maybe I am missing something here, but offsetofend can not return
> > a negative value, so this checks catches len < 0 as well:
> >
> >       if (len < offsetofend(struct tcp_zerocopy_receive, length))
> >               return -EINVAL;
> >
>
> offsetofend is (unsigned long)12.  If we compare a negative integer with
> (unsigned long)12 then negative number is type promoted to a high
> positive value.
>
>         if (-1 < (usigned long)12)
>                 printf("dan is wrong\n");
>
> regards,
> dan carpenter
>
>
Thank you for the catch. I will send out a fix momentarily.

Actually, now I'm curious - why does do_tcp_getsockopt get called so
many times, per getsockopt target - rather than just using the
originally read value?

-Arjun

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
@ 2021-02-25 23:00         ` Arjun Roy
  0 siblings, 0 replies; 14+ messages in thread
From: Arjun Roy @ 2021-02-25 23:00 UTC (permalink / raw)
  To: kbuild-all

[-- Attachment #1: Type: text/plain, Size: 5902 bytes --]

On Mon, Feb 15, 2021 at 8:02 AM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> On Mon, Feb 15, 2021 at 08:04:11AM -0700, David Ahern wrote:
> > On 2/15/21 5:03 AM, Dan Carpenter wrote:
> > > Hi Arjun,
> > >
> > > url:    https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
> > > base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git  e4b62cf7559f2ef9a022de235e5a09a8d7ded520
> > > config: x86_64-randconfig-m001-20210209 (attached as .config)
> > > compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> > >
> > > If you fix the issue, kindly add following tag as appropriate
> > > Reported-by: kernel test robot <lkp@intel.com>
> > > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> > >
> > > smatch warnings:
> > > net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
> > >
> > > vim +/len +4158 net/ipv4/tcp.c
> > >
> > > 3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3896  static int do_tcp_getsockopt(struct sock *sk, int level,
> > > 3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3897            int optname, char __user *optval, int __user *optlen)
> > > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3898  {
> > > 295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09  3899    struct inet_connection_sock *icsk = inet_csk(sk);
> > > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3900    struct tcp_sock *tp = tcp_sk(sk);
> > > 6fa251663069e0 Nikolay Borisov          2016-02-03  3901    struct net *net = sock_net(sk);
> > > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3902    int val, len;
> > >
> > > "len" is int.
> > >
> > > [ snip ]
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4146  #ifdef CONFIG_MMU
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4147    case TCP_ZEROCOPY_RECEIVE: {
> > > 7eeba1706eba6d Arjun Roy                2021-01-20  4148            struct scm_timestamping_internal tss;
> > > e0fecb289ad3fd Arjun Roy                2020-12-10  4149            struct tcp_zerocopy_receive zc = {};
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4150            int err;
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4151
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4152            if (get_user(len, optlen))
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4153                    return -EFAULT;
> > > c8856c05145490 Arjun Roy                2020-02-14  4154            if (len < offsetofend(struct tcp_zerocopy_receive, length))
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4155                    return -EINVAL;
> > >
> > >
> > > The problem is that negative values of "len" are type promoted to high
> > > positive values.  So the fix is to write this as:
> > >
> > >     if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
> > >             return -EINVAL;
> > >
> > > 110912bdf28392 Arjun Roy                2021-02-11  4156            if (unlikely(len > sizeof(zc))) {
> > > 110912bdf28392 Arjun Roy                2021-02-11  4157                    err = check_zeroed_user(optval + sizeof(zc),
> > > 110912bdf28392 Arjun Roy                2021-02-11 @4158                                            len - sizeof(zc));
> > >                                                                                                         ^^^^^^^^^^^^^^^^
> > > Potentially "len - a negative value".
> > >
> > >
> >
> > get_user(len, optlen) is called multiple times in that function. len < 0
> > was checked after the first one at the top.
> >
>
> What you're describing is a "Double Fetch" bug, where the attack is we
> get some data from the user, and we verify it, then we get it from the
> user a second time and trust it.  The problem is that the user modifies
> it between the first and second get_user() call so it ends up being a
> security vulnerability.
>
> But I'm glad you pointed out the first get_user() because it has an
> ancient, harmless pre git bug in it.
>
> net/ipv4/tcp.c
>   3888  static int do_tcp_getsockopt(struct sock *sk, int level,
>   3889                  int optname, char __user *optval, int __user *optlen)
>   3890  {
>   3891          struct inet_connection_sock *icsk = inet_csk(sk);
>   3892          struct tcp_sock *tp = tcp_sk(sk);
>   3893          struct net *net = sock_net(sk);
>   3894          int val, len;
>   3895
>   3896          if (get_user(len, optlen))
>   3897                  return -EFAULT;
>   3898
>   3899          len = min_t(unsigned int, len, sizeof(int));
>   3900
>   3901          if (len < 0)
>                     ^^^^^^^
> This is impossible.  "len" has to be in the 0-4 range because of the
> min_t() assignment.  It's harmless though and the condition should just
> be removed.
>
>   3902                  return -EINVAL;
>   3903
>   3904          switch (optname) {
>   3905          case TCP_MAXSEG:
>
> Anyway, I will create a new Smatch warning for this situation.
>
> > Also, maybe I am missing something here, but offsetofend can not return
> > a negative value, so this checks catches len < 0 as well:
> >
> >       if (len < offsetofend(struct tcp_zerocopy_receive, length))
> >               return -EINVAL;
> >
>
> offsetofend is (unsigned long)12.  If we compare a negative integer with
> (unsigned long)12 then negative number is type promoted to a high
> positive value.
>
>         if (-1 < (usigned long)12)
>                 printf("dan is wrong\n");
>
> regards,
> dan carpenter
>
>
Thank you for the catch. I will send out a fix momentarily.

Actually, now I'm curious - why does do_tcp_getsockopt get called so
many times, per getsockopt target - rather than just using the
originally read value?

-Arjun

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
  2021-02-15 16:02       ` Dan Carpenter
  (?)
  (?)
@ 2021-02-25 22:59       ` Arjun Roy
  -1 siblings, 0 replies; 14+ messages in thread
From: Arjun Roy @ 2021-02-25 22:59 UTC (permalink / raw)
  To: kbuild-all

[-- Attachment #1: Type: text/plain, Size: 5806 bytes --]

On Mon, Feb 15, 2021 at 8:02 AM Dan Carpenter <dan.carpenter@oracle.com>
wrote:

> On Mon, Feb 15, 2021 at 08:04:11AM -0700, David Ahern wrote:
> > On 2/15/21 5:03 AM, Dan Carpenter wrote:
> > > Hi Arjun,
> > >
> > > url:
> https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
> > > base:
> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
> e4b62cf7559f2ef9a022de235e5a09a8d7ded520
> > > config: x86_64-randconfig-m001-20210209 (attached as .config)
> > > compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> > >
> > > If you fix the issue, kindly add following tag as appropriate
> > > Reported-by: kernel test robot <lkp@intel.com>
> > > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> > >
> > > smatch warnings:
> > > net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer
> overflow 'len'
> > >
> > > vim +/len +4158 net/ipv4/tcp.c
> > >
> > > 3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3896  static int
> do_tcp_getsockopt(struct sock *sk, int level,
> > > 3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3897
> int optname, char __user *optval, int __user *optlen)
> > > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3898  {
> > > 295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09  3899    struct
> inet_connection_sock *icsk = inet_csk(sk);
> > > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3900    struct
> tcp_sock *tp = tcp_sk(sk);
> > > 6fa251663069e0 Nikolay Borisov          2016-02-03  3901    struct net
> *net = sock_net(sk);
> > > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3902    int val,
> len;
> > >
> > > "len" is int.
> > >
> > > [ snip ]
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4146  #ifdef
> CONFIG_MMU
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4147    case
> TCP_ZEROCOPY_RECEIVE: {
> > > 7eeba1706eba6d Arjun Roy                2021-01-20  4148
> struct scm_timestamping_internal tss;
> > > e0fecb289ad3fd Arjun Roy                2020-12-10  4149
> struct tcp_zerocopy_receive zc = {};
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4150
> int err;
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4151
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4152            if
> (get_user(len, optlen))
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4153
>       return -EFAULT;
> > > c8856c05145490 Arjun Roy                2020-02-14  4154            if
> (len < offsetofend(struct tcp_zerocopy_receive, length))
> > > 05255b823a6173 Eric Dumazet             2018-04-27  4155
>       return -EINVAL;
> > >
> > >
> > > The problem is that negative values of "len" are type promoted to high
> > > positive values.  So the fix is to write this as:
> > >
> > >     if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive,
> length))
> > >             return -EINVAL;
> > >
> > > 110912bdf28392 Arjun Roy                2021-02-11  4156            if
> (unlikely(len > sizeof(zc))) {
> > > 110912bdf28392 Arjun Roy                2021-02-11  4157
>       err = check_zeroed_user(optval + sizeof(zc),
> > > 110912bdf28392 Arjun Roy                2021-02-11 @4158
>                               len - sizeof(zc));
> > >
>                                  ^^^^^^^^^^^^^^^^
> > > Potentially "len - a negative value".
> > >
> > >
> >
> > get_user(len, optlen) is called multiple times in that function. len < 0
> > was checked after the first one at the top.
> >
>
> What you're describing is a "Double Fetch" bug, where the attack is we
> get some data from the user, and we verify it, then we get it from the
> user a second time and trust it.  The problem is that the user modifies
> it between the first and second get_user() call so it ends up being a
> security vulnerability.
>
> But I'm glad you pointed out the first get_user() because it has an
> ancient, harmless pre git bug in it.
>
> net/ipv4/tcp.c
>   3888  static int do_tcp_getsockopt(struct sock *sk, int level,
>   3889                  int optname, char __user *optval, int __user
> *optlen)
>   3890  {
>   3891          struct inet_connection_sock *icsk = inet_csk(sk);
>   3892          struct tcp_sock *tp = tcp_sk(sk);
>   3893          struct net *net = sock_net(sk);
>   3894          int val, len;
>   3895
>   3896          if (get_user(len, optlen))
>   3897                  return -EFAULT;
>   3898
>   3899          len = min_t(unsigned int, len, sizeof(int));
>   3900
>   3901          if (len < 0)
>                     ^^^^^^^
> This is impossible.  "len" has to be in the 0-4 range because of the
> min_t() assignment.  It's harmless though and the condition should just
> be removed.
>
>   3902                  return -EINVAL;
>   3903
>   3904          switch (optname) {
>   3905          case TCP_MAXSEG:
>
> Anyway, I will create a new Smatch warning for this situation.
>
> > Also, maybe I am missing something here, but offsetofend can not return
> > a negative value, so this checks catches len < 0 as well:
> >
> >       if (len < offsetofend(struct tcp_zerocopy_receive, length))
> >               return -EINVAL;
> >
>
> offsetofend is (unsigned long)12.  If we compare a negative integer with
> (unsigned long)12 then negative number is type promoted to a high
> positive value.
>
>         if (-1 < (usigned long)12)
>                 printf("dan is wrong\n");
>
> regards,
> dan carpenter
>
>
Thank you for the catch. I will send out a fix momentarily.

Actually, now I'm curious - why does do_tcp_getsockopt get called so many
times, per getsockopt target - rather than just using the originally read
value?

-Arjun

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 7804 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
  2021-02-15 15:04   ` David Ahern
  2021-02-15 16:02       ` Dan Carpenter
@ 2021-02-15 16:02       ` Dan Carpenter
  0 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2021-02-15 16:02 UTC (permalink / raw)
  To: David Ahern
  Cc: kbuild, Arjun Roy, davem, netdev, lkp, kbuild-all, arjunroy,
	edumazet, soheil, Leon Romanovsky, Jakub Kicinski

On Mon, Feb 15, 2021 at 08:04:11AM -0700, David Ahern wrote:
> On 2/15/21 5:03 AM, Dan Carpenter wrote:
> > Hi Arjun,
> > 
> > url:    https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537 
> > base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git  e4b62cf7559f2ef9a022de235e5a09a8d7ded520
> > config: x86_64-randconfig-m001-20210209 (attached as .config)
> > compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> > 
> > If you fix the issue, kindly add following tag as appropriate
> > Reported-by: kernel test robot <lkp@intel.com>
> > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> > 
> > smatch warnings:
> > net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
> > 
> > vim +/len +4158 net/ipv4/tcp.c
> > 
> > 3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3896  static int do_tcp_getsockopt(struct sock *sk, int level,
> > 3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3897  		int optname, char __user *optval, int __user *optlen)
> > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3898  {
> > 295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09  3899  	struct inet_connection_sock *icsk = inet_csk(sk);
> > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3900  	struct tcp_sock *tp = tcp_sk(sk);
> > 6fa251663069e0 Nikolay Borisov          2016-02-03  3901  	struct net *net = sock_net(sk);
> > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3902  	int val, len;
> > 
> > "len" is int.
> > 
> > [ snip ]
> > 05255b823a6173 Eric Dumazet             2018-04-27  4146  #ifdef CONFIG_MMU
> > 05255b823a6173 Eric Dumazet             2018-04-27  4147  	case TCP_ZEROCOPY_RECEIVE: {
> > 7eeba1706eba6d Arjun Roy                2021-01-20  4148  		struct scm_timestamping_internal tss;
> > e0fecb289ad3fd Arjun Roy                2020-12-10  4149  		struct tcp_zerocopy_receive zc = {};
> > 05255b823a6173 Eric Dumazet             2018-04-27  4150  		int err;
> > 05255b823a6173 Eric Dumazet             2018-04-27  4151  
> > 05255b823a6173 Eric Dumazet             2018-04-27  4152  		if (get_user(len, optlen))
> > 05255b823a6173 Eric Dumazet             2018-04-27  4153  			return -EFAULT;
> > c8856c05145490 Arjun Roy                2020-02-14  4154  		if (len < offsetofend(struct tcp_zerocopy_receive, length))
> > 05255b823a6173 Eric Dumazet             2018-04-27  4155  			return -EINVAL;
> > 
> > 
> > The problem is that negative values of "len" are type promoted to high
> > positive values.  So the fix is to write this as:
> > 
> > 	if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
> > 		return -EINVAL;
> > 
> > 110912bdf28392 Arjun Roy                2021-02-11  4156  		if (unlikely(len > sizeof(zc))) {
> > 110912bdf28392 Arjun Roy                2021-02-11  4157  			err = check_zeroed_user(optval + sizeof(zc),
> > 110912bdf28392 Arjun Roy                2021-02-11 @4158  						len - sizeof(zc));
> >                                                                                                         ^^^^^^^^^^^^^^^^
> > Potentially "len - a negative value".
> > 
> > 
> 
> get_user(len, optlen) is called multiple times in that function. len < 0
> was checked after the first one at the top.
> 

What you're describing is a "Double Fetch" bug, where the attack is we
get some data from the user, and we verify it, then we get it from the
user a second time and trust it.  The problem is that the user modifies
it between the first and second get_user() call so it ends up being a
security vulnerability.

But I'm glad you pointed out the first get_user() because it has an
ancient, harmless pre git bug in it.

net/ipv4/tcp.c
  3888  static int do_tcp_getsockopt(struct sock *sk, int level,
  3889                  int optname, char __user *optval, int __user *optlen)
  3890  {
  3891          struct inet_connection_sock *icsk = inet_csk(sk);
  3892          struct tcp_sock *tp = tcp_sk(sk);
  3893          struct net *net = sock_net(sk);
  3894          int val, len;
  3895  
  3896          if (get_user(len, optlen))
  3897                  return -EFAULT;
  3898  
  3899          len = min_t(unsigned int, len, sizeof(int));
  3900  
  3901          if (len < 0)
                    ^^^^^^^
This is impossible.  "len" has to be in the 0-4 range because of the
min_t() assignment.  It's harmless though and the condition should just
be removed.

  3902                  return -EINVAL;
  3903  
  3904          switch (optname) {
  3905          case TCP_MAXSEG:

Anyway, I will create a new Smatch warning for this situation.

> Also, maybe I am missing something here, but offsetofend can not return
> a negative value, so this checks catches len < 0 as well:
> 
> 	if (len < offsetofend(struct tcp_zerocopy_receive, length))
> 		return -EINVAL;
> 

offsetofend is (unsigned long)12.  If we compare a negative integer with
(unsigned long)12 then negative number is type promoted to a high
positive value.

	if (-1 < (usigned long)12)
		printf("dan is wrong\n");

regards,
dan carpenter



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
@ 2021-02-15 16:02       ` Dan Carpenter
  0 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2021-02-15 16:02 UTC (permalink / raw)
  To: kbuild

[-- Attachment #1: Type: text/plain, Size: 5207 bytes --]

On Mon, Feb 15, 2021 at 08:04:11AM -0700, David Ahern wrote:
> On 2/15/21 5:03 AM, Dan Carpenter wrote:
> > Hi Arjun,
> > 
> > url:    https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537 
> > base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git  e4b62cf7559f2ef9a022de235e5a09a8d7ded520
> > config: x86_64-randconfig-m001-20210209 (attached as .config)
> > compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> > 
> > If you fix the issue, kindly add following tag as appropriate
> > Reported-by: kernel test robot <lkp@intel.com>
> > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> > 
> > smatch warnings:
> > net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
> > 
> > vim +/len +4158 net/ipv4/tcp.c
> > 
> > 3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3896  static int do_tcp_getsockopt(struct sock *sk, int level,
> > 3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3897  		int optname, char __user *optval, int __user *optlen)
> > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3898  {
> > 295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09  3899  	struct inet_connection_sock *icsk = inet_csk(sk);
> > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3900  	struct tcp_sock *tp = tcp_sk(sk);
> > 6fa251663069e0 Nikolay Borisov          2016-02-03  3901  	struct net *net = sock_net(sk);
> > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3902  	int val, len;
> > 
> > "len" is int.
> > 
> > [ snip ]
> > 05255b823a6173 Eric Dumazet             2018-04-27  4146  #ifdef CONFIG_MMU
> > 05255b823a6173 Eric Dumazet             2018-04-27  4147  	case TCP_ZEROCOPY_RECEIVE: {
> > 7eeba1706eba6d Arjun Roy                2021-01-20  4148  		struct scm_timestamping_internal tss;
> > e0fecb289ad3fd Arjun Roy                2020-12-10  4149  		struct tcp_zerocopy_receive zc = {};
> > 05255b823a6173 Eric Dumazet             2018-04-27  4150  		int err;
> > 05255b823a6173 Eric Dumazet             2018-04-27  4151  
> > 05255b823a6173 Eric Dumazet             2018-04-27  4152  		if (get_user(len, optlen))
> > 05255b823a6173 Eric Dumazet             2018-04-27  4153  			return -EFAULT;
> > c8856c05145490 Arjun Roy                2020-02-14  4154  		if (len < offsetofend(struct tcp_zerocopy_receive, length))
> > 05255b823a6173 Eric Dumazet             2018-04-27  4155  			return -EINVAL;
> > 
> > 
> > The problem is that negative values of "len" are type promoted to high
> > positive values.  So the fix is to write this as:
> > 
> > 	if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
> > 		return -EINVAL;
> > 
> > 110912bdf28392 Arjun Roy                2021-02-11  4156  		if (unlikely(len > sizeof(zc))) {
> > 110912bdf28392 Arjun Roy                2021-02-11  4157  			err = check_zeroed_user(optval + sizeof(zc),
> > 110912bdf28392 Arjun Roy                2021-02-11 @4158  						len - sizeof(zc));
> >                                                                                                         ^^^^^^^^^^^^^^^^
> > Potentially "len - a negative value".
> > 
> > 
> 
> get_user(len, optlen) is called multiple times in that function. len < 0
> was checked after the first one at the top.
> 

What you're describing is a "Double Fetch" bug, where the attack is we
get some data from the user, and we verify it, then we get it from the
user a second time and trust it.  The problem is that the user modifies
it between the first and second get_user() call so it ends up being a
security vulnerability.

But I'm glad you pointed out the first get_user() because it has an
ancient, harmless pre git bug in it.

net/ipv4/tcp.c
  3888  static int do_tcp_getsockopt(struct sock *sk, int level,
  3889                  int optname, char __user *optval, int __user *optlen)
  3890  {
  3891          struct inet_connection_sock *icsk = inet_csk(sk);
  3892          struct tcp_sock *tp = tcp_sk(sk);
  3893          struct net *net = sock_net(sk);
  3894          int val, len;
  3895  
  3896          if (get_user(len, optlen))
  3897                  return -EFAULT;
  3898  
  3899          len = min_t(unsigned int, len, sizeof(int));
  3900  
  3901          if (len < 0)
                    ^^^^^^^
This is impossible.  "len" has to be in the 0-4 range because of the
min_t() assignment.  It's harmless though and the condition should just
be removed.

  3902                  return -EINVAL;
  3903  
  3904          switch (optname) {
  3905          case TCP_MAXSEG:

Anyway, I will create a new Smatch warning for this situation.

> Also, maybe I am missing something here, but offsetofend can not return
> a negative value, so this checks catches len < 0 as well:
> 
> 	if (len < offsetofend(struct tcp_zerocopy_receive, length))
> 		return -EINVAL;
> 

offsetofend is (unsigned long)12.  If we compare a negative integer with
(unsigned long)12 then negative number is type promoted to a high
positive value.

	if (-1 < (usigned long)12)
		printf("dan is wrong\n");

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
@ 2021-02-15 16:02       ` Dan Carpenter
  0 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2021-02-15 16:02 UTC (permalink / raw)
  To: kbuild-all

[-- Attachment #1: Type: text/plain, Size: 5207 bytes --]

On Mon, Feb 15, 2021 at 08:04:11AM -0700, David Ahern wrote:
> On 2/15/21 5:03 AM, Dan Carpenter wrote:
> > Hi Arjun,
> > 
> > url:    https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537 
> > base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git  e4b62cf7559f2ef9a022de235e5a09a8d7ded520
> > config: x86_64-randconfig-m001-20210209 (attached as .config)
> > compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> > 
> > If you fix the issue, kindly add following tag as appropriate
> > Reported-by: kernel test robot <lkp@intel.com>
> > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> > 
> > smatch warnings:
> > net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
> > 
> > vim +/len +4158 net/ipv4/tcp.c
> > 
> > 3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3896  static int do_tcp_getsockopt(struct sock *sk, int level,
> > 3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3897  		int optname, char __user *optval, int __user *optlen)
> > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3898  {
> > 295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09  3899  	struct inet_connection_sock *icsk = inet_csk(sk);
> > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3900  	struct tcp_sock *tp = tcp_sk(sk);
> > 6fa251663069e0 Nikolay Borisov          2016-02-03  3901  	struct net *net = sock_net(sk);
> > ^1da177e4c3f41 Linus Torvalds           2005-04-16  3902  	int val, len;
> > 
> > "len" is int.
> > 
> > [ snip ]
> > 05255b823a6173 Eric Dumazet             2018-04-27  4146  #ifdef CONFIG_MMU
> > 05255b823a6173 Eric Dumazet             2018-04-27  4147  	case TCP_ZEROCOPY_RECEIVE: {
> > 7eeba1706eba6d Arjun Roy                2021-01-20  4148  		struct scm_timestamping_internal tss;
> > e0fecb289ad3fd Arjun Roy                2020-12-10  4149  		struct tcp_zerocopy_receive zc = {};
> > 05255b823a6173 Eric Dumazet             2018-04-27  4150  		int err;
> > 05255b823a6173 Eric Dumazet             2018-04-27  4151  
> > 05255b823a6173 Eric Dumazet             2018-04-27  4152  		if (get_user(len, optlen))
> > 05255b823a6173 Eric Dumazet             2018-04-27  4153  			return -EFAULT;
> > c8856c05145490 Arjun Roy                2020-02-14  4154  		if (len < offsetofend(struct tcp_zerocopy_receive, length))
> > 05255b823a6173 Eric Dumazet             2018-04-27  4155  			return -EINVAL;
> > 
> > 
> > The problem is that negative values of "len" are type promoted to high
> > positive values.  So the fix is to write this as:
> > 
> > 	if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
> > 		return -EINVAL;
> > 
> > 110912bdf28392 Arjun Roy                2021-02-11  4156  		if (unlikely(len > sizeof(zc))) {
> > 110912bdf28392 Arjun Roy                2021-02-11  4157  			err = check_zeroed_user(optval + sizeof(zc),
> > 110912bdf28392 Arjun Roy                2021-02-11 @4158  						len - sizeof(zc));
> >                                                                                                         ^^^^^^^^^^^^^^^^
> > Potentially "len - a negative value".
> > 
> > 
> 
> get_user(len, optlen) is called multiple times in that function. len < 0
> was checked after the first one at the top.
> 

What you're describing is a "Double Fetch" bug, where the attack is we
get some data from the user, and we verify it, then we get it from the
user a second time and trust it.  The problem is that the user modifies
it between the first and second get_user() call so it ends up being a
security vulnerability.

But I'm glad you pointed out the first get_user() because it has an
ancient, harmless pre git bug in it.

net/ipv4/tcp.c
  3888  static int do_tcp_getsockopt(struct sock *sk, int level,
  3889                  int optname, char __user *optval, int __user *optlen)
  3890  {
  3891          struct inet_connection_sock *icsk = inet_csk(sk);
  3892          struct tcp_sock *tp = tcp_sk(sk);
  3893          struct net *net = sock_net(sk);
  3894          int val, len;
  3895  
  3896          if (get_user(len, optlen))
  3897                  return -EFAULT;
  3898  
  3899          len = min_t(unsigned int, len, sizeof(int));
  3900  
  3901          if (len < 0)
                    ^^^^^^^
This is impossible.  "len" has to be in the 0-4 range because of the
min_t() assignment.  It's harmless though and the condition should just
be removed.

  3902                  return -EINVAL;
  3903  
  3904          switch (optname) {
  3905          case TCP_MAXSEG:

Anyway, I will create a new Smatch warning for this situation.

> Also, maybe I am missing something here, but offsetofend can not return
> a negative value, so this checks catches len < 0 as well:
> 
> 	if (len < offsetofend(struct tcp_zerocopy_receive, length))
> 		return -EINVAL;
> 

offsetofend is (unsigned long)12.  If we compare a negative integer with
(unsigned long)12 then negative number is type promoted to a high
positive value.

	if (-1 < (usigned long)12)
		printf("dan is wrong\n");

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
  2021-02-15 12:03   ` Dan Carpenter
  (?)
  (?)
@ 2021-02-15 15:04   ` David Ahern
  2021-02-15 16:02       ` Dan Carpenter
  -1 siblings, 1 reply; 14+ messages in thread
From: David Ahern @ 2021-02-15 15:04 UTC (permalink / raw)
  To: Dan Carpenter, kbuild, Arjun Roy, davem, netdev
  Cc: lkp, kbuild-all, arjunroy, edumazet, soheil, David Ahern,
	Leon Romanovsky, Jakub Kicinski

On 2/15/21 5:03 AM, Dan Carpenter wrote:
> Hi Arjun,
> 
> url:    https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
> config: x86_64-randconfig-m001-20210209 (attached as .config)
> compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> 
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> smatch warnings:
> net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
> 
> vim +/len +4158 net/ipv4/tcp.c
> 
> 3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3896  static int do_tcp_getsockopt(struct sock *sk, int level,
> 3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3897  		int optname, char __user *optval, int __user *optlen)
> ^1da177e4c3f41 Linus Torvalds           2005-04-16  3898  {
> 295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09  3899  	struct inet_connection_sock *icsk = inet_csk(sk);
> ^1da177e4c3f41 Linus Torvalds           2005-04-16  3900  	struct tcp_sock *tp = tcp_sk(sk);
> 6fa251663069e0 Nikolay Borisov          2016-02-03  3901  	struct net *net = sock_net(sk);
> ^1da177e4c3f41 Linus Torvalds           2005-04-16  3902  	int val, len;
> 
> "len" is int.
> 
> [ snip ]
> 05255b823a6173 Eric Dumazet             2018-04-27  4146  #ifdef CONFIG_MMU
> 05255b823a6173 Eric Dumazet             2018-04-27  4147  	case TCP_ZEROCOPY_RECEIVE: {
> 7eeba1706eba6d Arjun Roy                2021-01-20  4148  		struct scm_timestamping_internal tss;
> e0fecb289ad3fd Arjun Roy                2020-12-10  4149  		struct tcp_zerocopy_receive zc = {};
> 05255b823a6173 Eric Dumazet             2018-04-27  4150  		int err;
> 05255b823a6173 Eric Dumazet             2018-04-27  4151  
> 05255b823a6173 Eric Dumazet             2018-04-27  4152  		if (get_user(len, optlen))
> 05255b823a6173 Eric Dumazet             2018-04-27  4153  			return -EFAULT;
> c8856c05145490 Arjun Roy                2020-02-14  4154  		if (len < offsetofend(struct tcp_zerocopy_receive, length))
> 05255b823a6173 Eric Dumazet             2018-04-27  4155  			return -EINVAL;
> 
> 
> The problem is that negative values of "len" are type promoted to high
> positive values.  So the fix is to write this as:
> 
> 	if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
> 		return -EINVAL;
> 
> 110912bdf28392 Arjun Roy                2021-02-11  4156  		if (unlikely(len > sizeof(zc))) {
> 110912bdf28392 Arjun Roy                2021-02-11  4157  			err = check_zeroed_user(optval + sizeof(zc),
> 110912bdf28392 Arjun Roy                2021-02-11 @4158  						len - sizeof(zc));
>                                                                                                         ^^^^^^^^^^^^^^^^
> Potentially "len - a negative value".
> 
> 

get_user(len, optlen) is called multiple times in that function. len < 0
was checked after the first one at the top.

Also, maybe I am missing something here, but offsetofend can not return
a negative value, so this checks catches len < 0 as well:

	if (len < offsetofend(struct tcp_zerocopy_receive, length))
		return -EINVAL;



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
  2021-02-11 21:21 Arjun Roy
  2021-02-12  2:08 ` Jakub Kicinski
@ 2021-02-15 12:03   ` Dan Carpenter
  2021-02-15 12:03   ` Dan Carpenter
  2 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2021-02-15 12:03 UTC (permalink / raw)
  To: kbuild, Arjun Roy, davem, netdev
  Cc: lkp, kbuild-all, arjunroy, edumazet, soheil, David Ahern,
	Leon Romanovsky, Jakub Kicinski

[-- Attachment #1: Type: text/plain, Size: 3441 bytes --]

Hi Arjun,

url:    https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
config: x86_64-randconfig-m001-20210209 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

smatch warnings:
net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'

vim +/len +4158 net/ipv4/tcp.c

3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3896  static int do_tcp_getsockopt(struct sock *sk, int level,
3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3897  		int optname, char __user *optval, int __user *optlen)
^1da177e4c3f41 Linus Torvalds           2005-04-16  3898  {
295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09  3899  	struct inet_connection_sock *icsk = inet_csk(sk);
^1da177e4c3f41 Linus Torvalds           2005-04-16  3900  	struct tcp_sock *tp = tcp_sk(sk);
6fa251663069e0 Nikolay Borisov          2016-02-03  3901  	struct net *net = sock_net(sk);
^1da177e4c3f41 Linus Torvalds           2005-04-16  3902  	int val, len;

"len" is int.

[ snip ]
05255b823a6173 Eric Dumazet             2018-04-27  4146  #ifdef CONFIG_MMU
05255b823a6173 Eric Dumazet             2018-04-27  4147  	case TCP_ZEROCOPY_RECEIVE: {
7eeba1706eba6d Arjun Roy                2021-01-20  4148  		struct scm_timestamping_internal tss;
e0fecb289ad3fd Arjun Roy                2020-12-10  4149  		struct tcp_zerocopy_receive zc = {};
05255b823a6173 Eric Dumazet             2018-04-27  4150  		int err;
05255b823a6173 Eric Dumazet             2018-04-27  4151  
05255b823a6173 Eric Dumazet             2018-04-27  4152  		if (get_user(len, optlen))
05255b823a6173 Eric Dumazet             2018-04-27  4153  			return -EFAULT;
c8856c05145490 Arjun Roy                2020-02-14  4154  		if (len < offsetofend(struct tcp_zerocopy_receive, length))
05255b823a6173 Eric Dumazet             2018-04-27  4155  			return -EINVAL;


The problem is that negative values of "len" are type promoted to high
positive values.  So the fix is to write this as:

	if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
		return -EINVAL;

110912bdf28392 Arjun Roy                2021-02-11  4156  		if (unlikely(len > sizeof(zc))) {
110912bdf28392 Arjun Roy                2021-02-11  4157  			err = check_zeroed_user(optval + sizeof(zc),
110912bdf28392 Arjun Roy                2021-02-11 @4158  						len - sizeof(zc));
                                                                                                        ^^^^^^^^^^^^^^^^
Potentially "len - a negative value".


110912bdf28392 Arjun Roy                2021-02-11  4159  			if (err < 1)
110912bdf28392 Arjun Roy                2021-02-11  4160  				return err == 0 ? -EINVAL : err;
c8856c05145490 Arjun Roy                2020-02-14  4161  			len = sizeof(zc);
0b7f41f68710cc Arjun Roy                2020-02-25  4162  			if (put_user(len, optlen))
0b7f41f68710cc Arjun Roy                2020-02-25  4163  				return -EFAULT;
0b7f41f68710cc Arjun Roy                2020-02-25  4164  		}

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 29600 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
@ 2021-02-15 12:03   ` Dan Carpenter
  0 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2021-02-15 12:03 UTC (permalink / raw)
  To: kbuild

[-- Attachment #1: Type: text/plain, Size: 3503 bytes --]

Hi Arjun,

url:    https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
config: x86_64-randconfig-m001-20210209 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

smatch warnings:
net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'

vim +/len +4158 net/ipv4/tcp.c

3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3896  static int do_tcp_getsockopt(struct sock *sk, int level,
3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3897  		int optname, char __user *optval, int __user *optlen)
^1da177e4c3f41 Linus Torvalds           2005-04-16  3898  {
295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09  3899  	struct inet_connection_sock *icsk = inet_csk(sk);
^1da177e4c3f41 Linus Torvalds           2005-04-16  3900  	struct tcp_sock *tp = tcp_sk(sk);
6fa251663069e0 Nikolay Borisov          2016-02-03  3901  	struct net *net = sock_net(sk);
^1da177e4c3f41 Linus Torvalds           2005-04-16  3902  	int val, len;

"len" is int.

[ snip ]
05255b823a6173 Eric Dumazet             2018-04-27  4146  #ifdef CONFIG_MMU
05255b823a6173 Eric Dumazet             2018-04-27  4147  	case TCP_ZEROCOPY_RECEIVE: {
7eeba1706eba6d Arjun Roy                2021-01-20  4148  		struct scm_timestamping_internal tss;
e0fecb289ad3fd Arjun Roy                2020-12-10  4149  		struct tcp_zerocopy_receive zc = {};
05255b823a6173 Eric Dumazet             2018-04-27  4150  		int err;
05255b823a6173 Eric Dumazet             2018-04-27  4151  
05255b823a6173 Eric Dumazet             2018-04-27  4152  		if (get_user(len, optlen))
05255b823a6173 Eric Dumazet             2018-04-27  4153  			return -EFAULT;
c8856c05145490 Arjun Roy                2020-02-14  4154  		if (len < offsetofend(struct tcp_zerocopy_receive, length))
05255b823a6173 Eric Dumazet             2018-04-27  4155  			return -EINVAL;


The problem is that negative values of "len" are type promoted to high
positive values.  So the fix is to write this as:

	if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
		return -EINVAL;

110912bdf28392 Arjun Roy                2021-02-11  4156  		if (unlikely(len > sizeof(zc))) {
110912bdf28392 Arjun Roy                2021-02-11  4157  			err = check_zeroed_user(optval + sizeof(zc),
110912bdf28392 Arjun Roy                2021-02-11 @4158  						len - sizeof(zc));
                                                                                                        ^^^^^^^^^^^^^^^^
Potentially "len - a negative value".


110912bdf28392 Arjun Roy                2021-02-11  4159  			if (err < 1)
110912bdf28392 Arjun Roy                2021-02-11  4160  				return err == 0 ? -EINVAL : err;
c8856c05145490 Arjun Roy                2020-02-14  4161  			len = sizeof(zc);
0b7f41f68710cc Arjun Roy                2020-02-25  4162  			if (put_user(len, optlen))
0b7f41f68710cc Arjun Roy                2020-02-25  4163  				return -EFAULT;
0b7f41f68710cc Arjun Roy                2020-02-25  4164  		}

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 29600 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
@ 2021-02-15 12:03   ` Dan Carpenter
  0 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2021-02-15 12:03 UTC (permalink / raw)
  To: kbuild-all

[-- Attachment #1: Type: text/plain, Size: 3503 bytes --]

Hi Arjun,

url:    https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
config: x86_64-randconfig-m001-20210209 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

smatch warnings:
net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'

vim +/len +4158 net/ipv4/tcp.c

3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3896  static int do_tcp_getsockopt(struct sock *sk, int level,
3fdadf7d27e3fb Dmitry Mishin            2006-03-20  3897  		int optname, char __user *optval, int __user *optlen)
^1da177e4c3f41 Linus Torvalds           2005-04-16  3898  {
295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09  3899  	struct inet_connection_sock *icsk = inet_csk(sk);
^1da177e4c3f41 Linus Torvalds           2005-04-16  3900  	struct tcp_sock *tp = tcp_sk(sk);
6fa251663069e0 Nikolay Borisov          2016-02-03  3901  	struct net *net = sock_net(sk);
^1da177e4c3f41 Linus Torvalds           2005-04-16  3902  	int val, len;

"len" is int.

[ snip ]
05255b823a6173 Eric Dumazet             2018-04-27  4146  #ifdef CONFIG_MMU
05255b823a6173 Eric Dumazet             2018-04-27  4147  	case TCP_ZEROCOPY_RECEIVE: {
7eeba1706eba6d Arjun Roy                2021-01-20  4148  		struct scm_timestamping_internal tss;
e0fecb289ad3fd Arjun Roy                2020-12-10  4149  		struct tcp_zerocopy_receive zc = {};
05255b823a6173 Eric Dumazet             2018-04-27  4150  		int err;
05255b823a6173 Eric Dumazet             2018-04-27  4151  
05255b823a6173 Eric Dumazet             2018-04-27  4152  		if (get_user(len, optlen))
05255b823a6173 Eric Dumazet             2018-04-27  4153  			return -EFAULT;
c8856c05145490 Arjun Roy                2020-02-14  4154  		if (len < offsetofend(struct tcp_zerocopy_receive, length))
05255b823a6173 Eric Dumazet             2018-04-27  4155  			return -EINVAL;


The problem is that negative values of "len" are type promoted to high
positive values.  So the fix is to write this as:

	if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
		return -EINVAL;

110912bdf28392 Arjun Roy                2021-02-11  4156  		if (unlikely(len > sizeof(zc))) {
110912bdf28392 Arjun Roy                2021-02-11  4157  			err = check_zeroed_user(optval + sizeof(zc),
110912bdf28392 Arjun Roy                2021-02-11 @4158  						len - sizeof(zc));
                                                                                                        ^^^^^^^^^^^^^^^^
Potentially "len - a negative value".


110912bdf28392 Arjun Roy                2021-02-11  4159  			if (err < 1)
110912bdf28392 Arjun Roy                2021-02-11  4160  				return err == 0 ? -EINVAL : err;
c8856c05145490 Arjun Roy                2020-02-14  4161  			len = sizeof(zc);
0b7f41f68710cc Arjun Roy                2020-02-25  4162  			if (put_user(len, optlen))
0b7f41f68710cc Arjun Roy                2020-02-25  4163  				return -EFAULT;
0b7f41f68710cc Arjun Roy                2020-02-25  4164  		}

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 29600 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
  2021-02-11 21:21 Arjun Roy
  2021-02-12  2:08 ` Jakub Kicinski
@ 2021-02-12  3:10 ` patchwork-bot+netdevbpf
  2021-02-15 12:03   ` Dan Carpenter
  2 siblings, 0 replies; 14+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-02-12  3:10 UTC (permalink / raw)
  To: Arjun Roy; +Cc: davem, netdev, arjunroy, edumazet, soheil, dsahern, leon, kuba

Hello:

This patch was applied to netdev/net-next.git (refs/heads/master):

On Thu, 11 Feb 2021 13:21:07 -0800 you wrote:
> From: Arjun Roy <arjunroy@google.com>
> 
> Explicitly define reserved field and require it and any subsequent
> fields to be zero-valued for now. Additionally, limit the valid CMSG
> flags that tcp_zerocopy_receive accepts.
> 
> Fixes: 7eeba1706eba ("tcp: Add receive timestamp support for receive zerocopy.")
> Signed-off-by: Arjun Roy <arjunroy@google.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
> Suggested-by: David Ahern <dsahern@gmail.com>
> Suggested-by: Leon Romanovsky <leon@kernel.org>
> Suggested-by: Jakub Kicinski <kuba@kernel.org>
> 
> [...]

Here is the summary with links:
  - [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
    https://git.kernel.org/netdev/net-next/c/3c5a2fd042d0

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
  2021-02-11 21:21 Arjun Roy
@ 2021-02-12  2:08 ` Jakub Kicinski
  2021-02-12  3:10 ` patchwork-bot+netdevbpf
  2021-02-15 12:03   ` Dan Carpenter
  2 siblings, 0 replies; 14+ messages in thread
From: Jakub Kicinski @ 2021-02-12  2:08 UTC (permalink / raw)
  To: Arjun Roy
  Cc: davem, netdev, arjunroy, edumazet, soheil, David Ahern, Leon Romanovsky

On Thu, 11 Feb 2021 13:21:07 -0800 Arjun Roy wrote:
> +		if (unlikely(len > sizeof(zc))) {
> +			err = check_zeroed_user(optval + sizeof(zc),
> +						len - sizeof(zc));
> +			if (err < 1)
> +				return err == 0 ? -EINVAL : err;

nit: return err ? : -EINVAL;

>  			len = sizeof(zc);
>  			if (put_user(len, optlen))
>  				return -EFAULT;
>  		}
>  		if (copy_from_user(&zc, optval, len))
>  			return -EFAULT;
> +		if (zc.reserved)
> +			return -EINVAL;
> +		if (zc.msg_flags &  ~(TCP_VALID_ZC_MSG_FLAGS))

nit: parens unnecessary

But neither is a big deal:

Acked-by: Jakub Kicinski <kuba@kernel.org>

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
@ 2021-02-11 21:21 Arjun Roy
  2021-02-12  2:08 ` Jakub Kicinski
                   ` (2 more replies)
  0 siblings, 3 replies; 14+ messages in thread
From: Arjun Roy @ 2021-02-11 21:21 UTC (permalink / raw)
  To: davem, netdev
  Cc: arjunroy, edumazet, soheil, David Ahern, Leon Romanovsky, Jakub Kicinski

From: Arjun Roy <arjunroy@google.com>

Explicitly define reserved field and require it and any subsequent
fields to be zero-valued for now. Additionally, limit the valid CMSG
flags that tcp_zerocopy_receive accepts.

Fixes: 7eeba1706eba ("tcp: Add receive timestamp support for receive zerocopy.")
Signed-off-by: Arjun Roy <arjunroy@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Suggested-by: David Ahern <dsahern@gmail.com>
Suggested-by: Leon Romanovsky <leon@kernel.org>
Suggested-by: Jakub Kicinski <kuba@kernel.org>
---
 include/uapi/linux/tcp.h |  2 +-
 net/ipv4/tcp.c           | 11 ++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h
index 42fc5a640df4..8fc09e8638b3 100644
--- a/include/uapi/linux/tcp.h
+++ b/include/uapi/linux/tcp.h
@@ -357,6 +357,6 @@ struct tcp_zerocopy_receive {
 	__u64 msg_control; /* ancillary data */
 	__u64 msg_controllen;
 	__u32 msg_flags;
-	/* __u32 hole;  Next we must add >1 u32 otherwise length checks fail. */
+	__u32 reserved; /* set to 0 for now */
 };
 #endif /* _UAPI_LINUX_TCP_H */
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index e1a17c6b473c..9896ca10bb34 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2030,6 +2030,7 @@ static int tcp_zerocopy_vm_insert_batch(struct vm_area_struct *vma,
 		err);
 }
 
+#define TCP_VALID_ZC_MSG_FLAGS   (TCP_CMSG_TS)
 static void tcp_recv_timestamp(struct msghdr *msg, const struct sock *sk,
 			       struct scm_timestamping_internal *tss);
 static void tcp_zc_finalize_rx_tstamp(struct sock *sk,
@@ -4152,13 +4153,21 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
 			return -EFAULT;
 		if (len < offsetofend(struct tcp_zerocopy_receive, length))
 			return -EINVAL;
-		if (len > sizeof(zc)) {
+		if (unlikely(len > sizeof(zc))) {
+			err = check_zeroed_user(optval + sizeof(zc),
+						len - sizeof(zc));
+			if (err < 1)
+				return err == 0 ? -EINVAL : err;
 			len = sizeof(zc);
 			if (put_user(len, optlen))
 				return -EFAULT;
 		}
 		if (copy_from_user(&zc, optval, len))
 			return -EFAULT;
+		if (zc.reserved)
+			return -EINVAL;
+		if (zc.msg_flags &  ~(TCP_VALID_ZC_MSG_FLAGS))
+			return -EINVAL;
 		lock_sock(sk);
 		err = tcp_zerocopy_receive(sk, &zc, &tss);
 		release_sock(sk);
-- 
2.30.0.478.g8a0d178c01-goog


^ permalink raw reply related	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2021-02-25 23:01 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-12  2:28 [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive kernel test robot
  -- strict thread matches above, loose matches on Subject: below --
2021-02-11 21:21 Arjun Roy
2021-02-12  2:08 ` Jakub Kicinski
2021-02-12  3:10 ` patchwork-bot+netdevbpf
2021-02-15 12:03 ` Dan Carpenter
2021-02-15 12:03   ` Dan Carpenter
2021-02-15 12:03   ` Dan Carpenter
2021-02-15 15:04   ` David Ahern
2021-02-15 16:02     ` Dan Carpenter
2021-02-15 16:02       ` Dan Carpenter
2021-02-15 16:02       ` Dan Carpenter
2021-02-25 22:59       ` Arjun Roy
2021-02-25 23:00       ` Arjun Roy
2021-02-25 23:00         ` Arjun Roy

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.