From patchwork Tue Apr 25 16:51:46 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Potapenko X-Patchwork-Id: 754930 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3wC8Q55MTWz9s5L for ; Wed, 26 Apr 2017 02:52:13 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="vEzFpfzn"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1432247AbdDYQwG (ORCPT ); Tue, 25 Apr 2017 12:52:06 -0400 Received: from mail-wm0-f53.google.com ([74.125.82.53]:35045 "EHLO mail-wm0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1432235AbdDYQwC (ORCPT ); Tue, 25 Apr 2017 12:52:02 -0400 Received: by mail-wm0-f53.google.com with SMTP id w64so28267756wma.0 for ; Tue, 25 Apr 2017 09:51:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=sOu1gV47tKuZj3gOGpsJCowCWkIQeV7/0UinMfiEIiI=; b=vEzFpfznM0VTLmGfLnZaf6esQ5WUuFcjJOcw/ZAHTjKB+8aI5o4Vr4AUBg7ET+Enz6 tGEqrGm8qSm0SzT8ed8/6ZTuL/Am+sjW0HAadQx2+w5K18JKhlYksxLCUi/5V/7yKp6H cZ+pHQ1ZBT3M/g0ooh0LMHq53dpiWT9gnza+BRcyQJw6H9QR077ORkeZ45YVMahD8MNe ApPq3hul2vIgJ5c9apps1OzBdkvwgU9Frf7M52vALZqLSnrDQFHZ8sw5SQDPMIuHNbUC +1ERQU8ykAq2ihlCMSy5o2Ey6BfXgh/HL6VH902zbo44Gk04YNBOVDd0fJjgIe1uFjv7 Lw0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=sOu1gV47tKuZj3gOGpsJCowCWkIQeV7/0UinMfiEIiI=; b=bGoyiaeyhSyvM19cwE33SqxSPFv7DszYBFpxP6G5NOfPSBFXetsQCgwxZwOSzoogOL ZhpK4RkDCU6xAkqHXsIJCP6FBRq+46XlyNJoEimMtSUr11Dgh58DJ1Fpbpw+FzWC8OGL nL2BU5ZPuX9X62A/0wPy/DqMxsVmA3IgI4O6lTvZIMhFP2KcpmLdJLMRdMJIOZ3LO65D Gbb9BJDkftcZLehEaeuAJqSYoLPKsrNJVE+ljgpjkdw+48GKpO9Qlm+SEbvAZQs8E1xy lOmDxKfAebQkooPos/d5HmawiFDqIYMjg04N6g6UYkIoSzRWSyVSaZdHm8gbbpS4TZEo 12hA== X-Gm-Message-State: AN3rC/5e6VNRaRP/MkRtXXRh8TPGm6FDSf8vu0afgf1SJhXbrkdFFQAy v0ezEHDOa4P3rYvX X-Received: by 10.28.54.85 with SMTP id d82mr12850470wma.84.1493139110618; Tue, 25 Apr 2017 09:51:50 -0700 (PDT) Received: from glider0.muc.corp.google.com ([100.105.28.21]) by smtp.gmail.com with ESMTPSA id w17sm3356019wme.13.2017.04.25.09.51.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 25 Apr 2017 09:51:49 -0700 (PDT) From: Alexander Potapenko To: dvyukov@google.com, kcc@google.com, edumazet@google.com, davem@davemloft.net, kuznet@ms2.inr.ac.ru Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH] net/packet: check length in getsockopt() called with PACKET_HDRLEN Date: Tue, 25 Apr 2017 18:51:46 +0200 Message-Id: <20170425165146.25075-1-glider@google.com> X-Mailer: git-send-email 2.13.0.rc0.306.g87b477812d-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org In the case getsockopt() is called with PACKET_HDRLEN and optlen < 4 |val| remains uninitialized and the syscall may behave differently depending on its value, and even copy garbage to userspace on certain architectures. To fix this we now return -EINVAL if optlen is too small. This bug has been detected with KMSAN. Signed-off-by: Alexander Potapenko --- The previous versions of this patch were called "net/packet: initialize val in packet_getsockopt()" v3: - change patch summary, return -EINVAL for optlen < sizeof(int) v2: - if len < sizeof(int), make it 0 --- net/packet/af_packet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 8489beff5c25..ea81ccf3c7d6 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3836,6 +3836,8 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); + if (len < sizeof(int)) + return -EINVAL; if (copy_from_user(&val, optval, len)) return -EFAULT; switch (val) {