netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Christoph Hellwig <hch@lst.de>
To: Eric Biggers <ebiggers@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>,
	"David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
	Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
	Eric Dumazet <edumazet@google.com>,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org, bpf@vger.kernel.org,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	linux-sctp@vger.kernel.org, linux-hams@vger.kernel.org,
	linux-bluetooth@vger.kernel.org,
	bridge@lists.linux-foundation.org, linux-can@vger.kernel.org,
	dccp@vger.kernel.org, linux-decnet-user@lists.sourceforge.net,
	linux-wpan@vger.kernel.org, linux-s390@vger.kernel.org,
	mptcp@lists.01.org, lvs-devel@vger.kernel.org,
	rds-devel@oss.oracle.com, linux-afs@lists.infradead.org,
	tipc-discussion@lists.sourceforge.net, linux-x25@vger.kernel.org
Subject: Re: [PATCH 03/24] net: add a new sockptr_t type
Date: Mon, 20 Jul 2020 19:43:22 +0200	[thread overview]
Message-ID: <20200720174322.GA21785@lst.de> (raw)
In-Reply-To: <20200720163748.GA1292162@gmail.com>

On Mon, Jul 20, 2020 at 09:37:48AM -0700, Eric Biggers wrote:
> How does this not introduce a massive security hole when
> CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE?
> 
> AFAICS, userspace can pass in a pointer >= TASK_SIZE,
> and this code makes it be treated as a kernel pointer.

Yeah, we'll need to validate that before initializing the pointer.

But thinking this a little further:  doesn't this mean any
set_fs(KERNEL_DS) that has other user pointers than the one it is
intended for has the same issue?  Pretty much all of these are gone
in mainline now, but in older stable kernels there might be some
interesting cases, especially in the compat ioctl handlers.

  reply	other threads:[~2020-07-20 17:43 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-20 12:47 get rid of the address_space override in setsockopt Christoph Hellwig
2020-07-20 12:47 ` [PATCH 01/24] bpfilter: reject kernel addresses Christoph Hellwig
2020-07-20 12:47 ` [PATCH 02/24] bpfilter: fix up a sparse annotation Christoph Hellwig
2020-07-21  2:40   ` Luc Van Oostenryck
2020-07-21  5:23     ` Christoph Hellwig
2020-07-21  5:28       ` Al Viro
2020-07-20 12:47 ` [PATCH 03/24] net: add a new sockptr_t type Christoph Hellwig
2020-07-20 16:37   ` Eric Biggers
2020-07-20 17:43     ` Christoph Hellwig [this message]
2020-07-20 17:55       ` Eric Biggers
2020-07-22  7:56         ` Christoph Hellwig
2020-07-21  9:55     ` David Laight
2020-07-21 10:14   ` David Laight
2020-07-20 12:47 ` [PATCH 04/24] net: switch copy_bpf_fprog_from_user to sockptr_t Christoph Hellwig
2020-07-20 12:47 ` [PATCH 05/24] net: switch sock_setbindtodevice " Christoph Hellwig
2020-07-20 12:47 ` [PATCH 06/24] net: switch sock_set_timeout " Christoph Hellwig
2020-07-20 12:47 ` [PATCH 07/24] " Christoph Hellwig
2020-07-20 12:47 ` [PATCH 08/24] net/xfrm: switch xfrm_user_policy " Christoph Hellwig
2020-07-20 12:47 ` [PATCH 09/24] netfilter: remove the unused user argument to do_update_counters Christoph Hellwig
2020-07-20 12:47 ` [PATCH 10/24] netfilter: switch xt_copy_counters to sockptr_t Christoph Hellwig
2020-07-20 12:47 ` [PATCH 11/24] netfilter: switch nf_setsockopt " Christoph Hellwig
2020-07-20 12:47 ` [PATCH 12/24] bpfilter: switch bpfilter_ip_set_sockopt " Christoph Hellwig
2020-07-21  8:36   ` David Laight
2020-07-22  8:00     ` 'Christoph Hellwig'
2020-07-22  8:01       ` 'Christoph Hellwig'
2020-07-20 12:47 ` [PATCH 13/24] net/ipv4: switch ip_mroute_setsockopt " Christoph Hellwig
2020-07-20 12:47 ` [PATCH 14/24] net/ipv4: merge ip_options_get and ip_options_get_from_user Christoph Hellwig
2020-07-20 12:47 ` [PATCH 15/24] net/ipv4: switch do_ip_setsockopt to sockptr_t Christoph Hellwig
2020-07-20 12:47 ` [PATCH 16/24] net/ipv6: switch ip6_mroute_setsockopt " Christoph Hellwig
2020-07-20 12:47 ` [PATCH 17/24] net/ipv6: split up ipv6_flowlabel_opt Christoph Hellwig
2020-07-20 12:47 ` [PATCH 18/24] net/ipv6: switch ipv6_flowlabel_opt to sockptr_t Christoph Hellwig
2020-07-20 12:47 ` [PATCH 19/24] net/ipv6: factor out a ipv6_set_opt_hdr helper Christoph Hellwig
2020-07-20 12:47 ` [PATCH 20/24] net/ipv6: switch do_ipv6_setsockopt to sockptr_t Christoph Hellwig
2020-07-20 12:47 ` [PATCH 21/24] net/udp: switch udp_lib_setsockopt " Christoph Hellwig
2020-07-20 12:47 ` [PATCH 22/24] net/tcp: switch ->md5_parse " Christoph Hellwig
2020-07-20 12:47 ` [PATCH 23/24] net/tcp: switch do_tcp_setsockopt " Christoph Hellwig
2020-07-20 12:47 ` [PATCH 24/24] net: pass a sockptr_t into ->setsockopt Christoph Hellwig
2020-07-20 14:19   ` Stefan Schmidt
2020-07-20 23:20     ` David Miller
2020-07-22  8:26   ` [MPTCP] " Matthieu Baerts
2020-07-20 16:38 ` get rid of the address_space override in setsockopt Eric Biggers
2020-07-20 17:43   ` Christoph Hellwig
2020-07-20 20:47 ` Alexei Starovoitov
2020-07-22  7:56   ` Christoph Hellwig
2020-07-22 17:09     ` Alexei Starovoitov
2020-07-21  9:38 ` David Laight
2020-07-22  8:06   ` 'Christoph Hellwig'
2020-07-22  8:21     ` David Laight
2020-07-21 10:26 ` David Laight
2020-07-22  8:07   ` 'Christoph Hellwig'

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200720174322.GA21785@lst.de \
    --to=hch@lst.de \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=bridge@lists.linux-foundation.org \
    --cc=coreteam@netfilter.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=dccp@vger.kernel.org \
    --cc=ebiggers@kernel.org \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=linux-afs@lists.infradead.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-can@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-decnet-user@lists.sourceforge.net \
    --cc=linux-hams@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=linux-sctp@vger.kernel.org \
    --cc=linux-wpan@vger.kernel.org \
    --cc=linux-x25@vger.kernel.org \
    --cc=lvs-devel@vger.kernel.org \
    --cc=mptcp@lists.01.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=rds-devel@oss.oracle.com \
    --cc=tipc-discussion@lists.sourceforge.net \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).