net: improve the user pointer check in init_user_sockptr

Christoph Hellwig · davem330 · commit a31edb2059ed · 2020-07-28T13:43:40.000-07:00
Make sure not just the pointer itself but the whole range lies in the user address space. For that pass the length and then use the access_ok helper to do the check. Fixes: 6d04fe1 ("net: optimize the sockptr_t for unified kernel/user address spaces") Reported-by: David Laight <David.Laight@ACULAB.COM> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/include/linux/sockptr.h b/include/linux/sockptr.h
@@ -27,14 +27,6 @@ static inline sockptr_t KERNEL_SOCKPTR(void *p)
 {
 	return (sockptr_t) { .kernel = p };
 }
-
-static inline int __must_check init_user_sockptr(sockptr_t *sp, void __user *p)
-{
-	if ((unsigned long)p >= TASK_SIZE)
-		return -EFAULT;
-	sp->user = p;
-	return 0;
-}
 #else /* CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE */
 typedef struct {
 	union {
@@ -53,14 +45,16 @@ static inline sockptr_t KERNEL_SOCKPTR(void *p)
 {
 	return (sockptr_t) { .kernel = p, .is_kernel = true };
 }
+#endif /* CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE */
 
-static inline int __must_check init_user_sockptr(sockptr_t *sp, void __user *p)
+static inline int __must_check init_user_sockptr(sockptr_t *sp, void __user *p,
+		size_t size)
 {
-	sp->user = p;
-	sp->is_kernel = false;
+	if (!access_ok(p, size))
+		return -EFAULT;
+	*sp = (sockptr_t) { .user = p };
 	return 0;
 }
-#endif /* CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE */
 
 static inline bool sockptr_is_null(sockptr_t sockptr)
 {
diff --git a/net/ipv4/bpfilter/sockopt.c b/net/ipv4/bpfilter/sockopt.c
@@ -65,7 +65,7 @@ int bpfilter_ip_get_sockopt(struct sock *sk, int optname,
 
 	if (get_user(len, optlen))
 		return -EFAULT;
-	err = init_user_sockptr(&optval, user_optval);
+	err = init_user_sockptr(&optval, user_optval, len);
 	if (err)
 		return err;
 	return bpfilter_mbox_request(sk, optname, optval, len, false);
diff --git a/net/socket.c b/net/socket.c
@@ -2105,7 +2105,7 @@ int __sys_setsockopt(int fd, int level, int optname, char __user *user_optval,
 	if (optlen < 0)
 		return -EINVAL;
 
-	err = init_user_sockptr(&optval, user_optval);
+	err = init_user_sockptr(&optval, user_optval, optlen);
 	if (err)
 		return err;
 

Original file line number	Diff line number	Diff line change
`@@ -27,14 +27,6 @@ static inline sockptr_t KERNEL_SOCKPTR(void *p)`
`27`	`27`	`{`
`28`	`28`	`return (sockptr_t) { .kernel = p };`
`29`	`29`	`}`
`30`		`-`
`31`		`-static inline int __must_check init_user_sockptr(sockptr_t sp, void __user p)`
`32`		`-{`
`33`		`- if ((unsigned long)p >= TASK_SIZE)`
`34`		`- return -EFAULT;`
`35`		`- sp->user = p;`
`36`		`- return 0;`
`37`		`-}`
`38`	`30`	`#else /* CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE */`
`39`	`31`	`typedef struct {`
`40`	`32`	`union {`
`@@ -53,14 +45,16 @@ static inline sockptr_t KERNEL_SOCKPTR(void *p)`
`53`	`45`	`{`
`54`	`46`	`return (sockptr_t) { .kernel = p, .is_kernel = true };`
`55`	`47`	`}`
	`48`	`+#endif /* CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE */`
`56`	`49`
`57`		`-static inline int __must_check init_user_sockptr(sockptr_t sp, void __user p)`
	`50`	`+static inline int __must_check init_user_sockptr(sockptr_t sp, void __user p,`
	`51`	`+ size_t size)`
`58`	`52`	`{`
`59`		`- sp->user = p;`
`60`		`- sp->is_kernel = false;`
	`53`	`+ if (!access_ok(p, size))`
	`54`	`+ return -EFAULT;`
	`55`	`+ *sp = (sockptr_t) { .user = p };`
`61`	`56`	`return 0;`
`62`	`57`	`}`
`63`		`-#endif /* CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE */`
`64`	`58`
`65`	`59`	`static inline bool sockptr_is_null(sockptr_t sockptr)`
`66`	`60`	`{`