From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933576AbdKOSiA (ORCPT ); Wed, 15 Nov 2017 13:38:00 -0500 Received: from out03.mta.xmission.com ([166.70.13.233]:40198 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753334AbdKOShr (ORCPT ); Wed, 15 Nov 2017 13:37:47 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Kees Cook Cc: Eric Dumazet , "David S. Miller" , Alexander Potapenko , Kostya Serebryany , Andrey Konovalov , Eric Dumazet , Network Development , LKML , security@kernel.org References: <20171031161445.GA140874@beast> <1509471094.3828.26.camel@edumazet-glaptop3.roam.corp.google.com> <871slikvvf.fsf@xmission.com> Date: Wed, 15 Nov 2017 12:37:15 -0600 In-Reply-To: (Kees Cook's message of "Tue, 14 Nov 2017 18:13:59 -0800") Message-ID: <8760ab2xt0.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1eF2Z6-0001iF-Hn;;;mid=<8760ab2xt0.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=75.170.119.32;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1/hHQ+kiHpRxLzv/B2azcJfZFO5SBTGe28= X-SA-Exim-Connect-IP: 75.170.119.32 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa04 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Kees Cook X-Spam-Relay-Country: X-Spam-Timing: total 5747 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 3.3 (0.1%), b_tie_ro: 2.3 (0.0%), parse: 1.46 (0.0%), extract_message_metadata: 28 (0.5%), get_uri_detail_list: 4.5 (0.1%), tests_pri_-1000: 13 (0.2%), tests_pri_-950: 1.53 (0.0%), tests_pri_-900: 1.24 (0.0%), tests_pri_-400: 32 (0.6%), check_bayes: 30 (0.5%), b_tokenize: 12 (0.2%), b_tok_get_all: 9 (0.2%), b_comp_prob: 3.4 (0.1%), b_tok_touch_all: 3.7 (0.1%), b_finish: 0.71 (0.0%), tests_pri_0: 373 (6.5%), check_dkim_signature: 0.97 (0.0%), check_dkim_adsp: 7 (0.1%), tests_pri_500: 5289 (92.0%), poll_dns_idle: 5283 (91.9%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH] net: recvmsg: Unconditionally zero struct sockaddr_storage X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Kees Cook writes: > On Wed, Nov 1, 2017 at 5:48 AM, Eric W. Biederman wrote: >> Eric Dumazet writes: >> >>> On Tue, 2017-10-31 at 09:14 -0700, Kees Cook wrote: >>>> Some protocols do not correctly wipe the contents of the on-stack >>>> struct sockaddr_storage sent down into recvmsg() (e.g. SCTP), and leak >>>> kernel stack contents to userspace. This wipes it unconditionally before >>>> per-protocol handlers run. >>>> >>>> Note that leaks like this are mitigated by building with >>>> CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y >>>> >>>> Reported-by: Alexander Potapenko >>>> Cc: "David S. Miller" >>>> Cc: netdev@vger.kernel.org >>>> Signed-off-by: Kees Cook >>>> --- >>>> net/socket.c | 1 + >>>> 1 file changed, 1 insertion(+) >>>> >>>> diff --git a/net/socket.c b/net/socket.c >>>> index c729625eb5d3..34183f4fbdf8 100644 >>>> --- a/net/socket.c >>>> +++ b/net/socket.c >>>> @@ -2188,6 +2188,7 @@ static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg, >>>> struct sockaddr __user *uaddr; >>>> int __user *uaddr_len = COMPAT_NAMELEN(msg); >>>> >>>> + memset(&addr, 0, sizeof(addr)); >>>> msg_sys->msg_name = &addr; >>>> >>> >>> This kind of patch comes every year. >>> >>> Standard answer is : We fix the buggy protocol, we do not make >>> everything slower just because we are lazy. >>> >>> struct sockaddr is 128 bytes, but IPV4 only uses a fraction of it. >>> >>> Also memset() is using long word stores, so next 4-byte or 2-byte stores >>> on same location hit a performance problem on x86. >>> >>> By adding all these defensive programming, we would give strong >>> incentives to bypass the kernel for networking. That would be bad. >> >> In this case it looks like the root cause is something in sctp >> not filling in the ipv6 sin6_scope_id. >> >> Which is not only a leak but a correctness bug. >> >> I ran the reproducer test program and while none of the leak checkers >> are telling me anything I have gotten as far as seeing that the returned >> length is correct and sometimes nonsense. >> >> Hmm. >> >> At a quick look it looks like all that is necessary is to do this: >> >> diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c >> index 51c488769590..6301913d0516 100644 >> --- a/net/sctp/ipv6.c >> +++ b/net/sctp/ipv6.c >> @@ -807,9 +807,10 @@ static void sctp_inet6_skb_msgname(struct sk_buff *skb, char *msgname, >> addr->v6.sin6_flowinfo = 0; >> addr->v6.sin6_port = sh->source; >> addr->v6.sin6_addr = ipv6_hdr(skb)->saddr; >> - if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) { >> + if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) >> addr->v6.sin6_scope_id = sctp_v6_skb_iif(skb); >> - } >> + else >> + addr->v6.sin6_scope_id = 0; >> } >> >> *addr_len = sctp_v6_addr_to_user(sctp_sk(skb->sk), addr); >> > > It looks like this never landed anywhere? Eric, are you able to resend > this as a full patch? I will take a look. I have not conducted a thorough review to make certain that is everything. I was hoping someone else would pick that change up and run with it. However the change seems obviously correct as is, so I don't have any problem sending just this bit. Eric