2022-03-01 07:53:42

by Harold Huang

[permalink] [raw]
Subject: [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg

In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
tun_sendmsg. Although we donot use msg_controllen in this path, we should
check msg_controllen to make sure the caller pass a valid msg_ctl.

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505

Reported-by: Eric Dumazet <[email protected]>
Suggested-by: Jason Wang <[email protected]>
Signed-off-by: Harold Huang <[email protected]>
---
drivers/net/tap.c | 3 ++-
drivers/net/tun.c | 3 ++-
drivers/vhost/net.c | 1 +
3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index 8e3a28ba6b28..ba2ef5437e16 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -1198,7 +1198,8 @@ static int tap_sendmsg(struct socket *sock, struct msghdr *m,
struct xdp_buff *xdp;
int i;

- if (ctl && (ctl->type == TUN_MSG_PTR)) {
+ if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
+ ctl && ctl->type == TUN_MSG_PTR) {
for (i = 0; i < ctl->num; i++) {
xdp = &((struct xdp_buff *)ctl->ptr)[i];
tap_get_user_xdp(q, xdp);
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 969ea69fd29d..2a0d8a5d7aec 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2501,7 +2501,8 @@ static int tun_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len)
if (!tun)
return -EBADFD;

- if (ctl && (ctl->type == TUN_MSG_PTR)) {
+ if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
+ ctl && ctl->type == TUN_MSG_PTR) {
struct tun_page tpage;
int n = ctl->num;
int flush = 0, queued = 0;
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 28ef323882fb..792ab5f23647 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -473,6 +473,7 @@ static void vhost_tx_batch(struct vhost_net *net,
goto signal_used;

msghdr->msg_control = &ctl;
+ msghdr->msg_controllen = sizeof(ctl);
err = sock->ops->sendmsg(sock, msghdr, 0);
if (unlikely(err < 0)) {
vq_err(&nvq->vq, "Fail to batch sending packets\n");
--
2.27.0


2022-03-02 02:26:07

by Jakub Kicinski

[permalink] [raw]
Subject: Re: [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg

On Tue, 1 Mar 2022 14:43:14 +0800 Harold Huang wrote:
> In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
> tun_sendmsg. Although we donot use msg_controllen in this path, we should
> check msg_controllen to make sure the caller pass a valid msg_ctl.
>
> [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
>
> Reported-by: Eric Dumazet <[email protected]>
> Suggested-by: Jason Wang <[email protected]>
> Signed-off-by: Harold Huang <[email protected]>

Would you mind resending the same patch? It looks like it depended on
your other change so the build bot was unable to apply and test it.

2022-03-02 12:10:44

by Harold Huang

[permalink] [raw]
Subject: Re: [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg

On Wed, Mar 2, 2022 at 10:05 AM Jakub Kicinski <[email protected]> wrote:
>
> On Tue, 1 Mar 2022 14:43:14 +0800 Harold Huang wrote:
> > In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
> > tun_sendmsg. Although we donot use msg_controllen in this path, we should
> > check msg_controllen to make sure the caller pass a valid msg_ctl.
> >
> > [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
> >
> > Reported-by: Eric Dumazet <[email protected]>
> > Suggested-by: Jason Wang <[email protected]>
> > Signed-off-by: Harold Huang <[email protected]>
>
> Would you mind resending the same patch? It looks like it depended on
> your other change so the build bot was unable to apply and test it.

Yes, it depends on this patch [1] which has been applied to netdev. I
see this patch could be applied to netdev by git am. But if I use
another patch that could be applied to linux master, it could not be
applied to netdev anymore.

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=fb3f903769e8

2022-03-03 02:29:34

by Harold Huang

[permalink] [raw]
Subject: [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg

In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
tun_sendmsg. Although we donot use msg_controllen in this path, we should
check msg_controllen to make sure the caller pass a valid msg_ctl.

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505

Reported-by: Eric Dumazet <[email protected]>
Suggested-by: Jason Wang <[email protected]>
Signed-off-by: Harold Huang <[email protected]>
---
drivers/net/tap.c | 3 ++-
drivers/net/tun.c | 3 ++-
drivers/vhost/net.c | 1 +
3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index 8e3a28ba6b28..ba2ef5437e16 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -1198,7 +1198,8 @@ static int tap_sendmsg(struct socket *sock, struct msghdr *m,
struct xdp_buff *xdp;
int i;

- if (ctl && (ctl->type == TUN_MSG_PTR)) {
+ if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
+ ctl && ctl->type == TUN_MSG_PTR) {
for (i = 0; i < ctl->num; i++) {
xdp = &((struct xdp_buff *)ctl->ptr)[i];
tap_get_user_xdp(q, xdp);
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 969ea69fd29d..2a0d8a5d7aec 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2501,7 +2501,8 @@ static int tun_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len)
if (!tun)
return -EBADFD;

- if (ctl && (ctl->type == TUN_MSG_PTR)) {
+ if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
+ ctl && ctl->type == TUN_MSG_PTR) {
struct tun_page tpage;
int n = ctl->num;
int flush = 0, queued = 0;
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 28ef323882fb..792ab5f23647 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -473,6 +473,7 @@ static void vhost_tx_batch(struct vhost_net *net,
goto signal_used;

msghdr->msg_control = &ctl;
+ msghdr->msg_controllen = sizeof(ctl);
err = sock->ops->sendmsg(sock, msghdr, 0);
if (unlikely(err < 0)) {
vq_err(&nvq->vq, "Fail to batch sending packets\n");
--
2.27.0

2022-03-03 04:01:05

by Jason Wang

[permalink] [raw]
Subject: Re: [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg


在 2022/3/3 上午10:24, Harold Huang 写道:
> In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
> tun_sendmsg. Although we donot use msg_controllen in this path, we should
> check msg_controllen to make sure the caller pass a valid msg_ctl.
>
> [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
>
> Reported-by: Eric Dumazet <[email protected]>
> Suggested-by: Jason Wang <[email protected]>
> Signed-off-by: Harold Huang <[email protected]>


Acked-by: Jason Wang <[email protected]>


> ---
> drivers/net/tap.c | 3 ++-
> drivers/net/tun.c | 3 ++-
> drivers/vhost/net.c | 1 +
> 3 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/tap.c b/drivers/net/tap.c
> index 8e3a28ba6b28..ba2ef5437e16 100644
> --- a/drivers/net/tap.c
> +++ b/drivers/net/tap.c
> @@ -1198,7 +1198,8 @@ static int tap_sendmsg(struct socket *sock, struct msghdr *m,
> struct xdp_buff *xdp;
> int i;
>
> - if (ctl && (ctl->type == TUN_MSG_PTR)) {
> + if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
> + ctl && ctl->type == TUN_MSG_PTR) {
> for (i = 0; i < ctl->num; i++) {
> xdp = &((struct xdp_buff *)ctl->ptr)[i];
> tap_get_user_xdp(q, xdp);
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index 969ea69fd29d..2a0d8a5d7aec 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -2501,7 +2501,8 @@ static int tun_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len)
> if (!tun)
> return -EBADFD;
>
> - if (ctl && (ctl->type == TUN_MSG_PTR)) {
> + if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
> + ctl && ctl->type == TUN_MSG_PTR) {
> struct tun_page tpage;
> int n = ctl->num;
> int flush = 0, queued = 0;
> diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
> index 28ef323882fb..792ab5f23647 100644
> --- a/drivers/vhost/net.c
> +++ b/drivers/vhost/net.c
> @@ -473,6 +473,7 @@ static void vhost_tx_batch(struct vhost_net *net,
> goto signal_used;
>
> msghdr->msg_control = &ctl;
> + msghdr->msg_controllen = sizeof(ctl);
> err = sock->ops->sendmsg(sock, msghdr, 0);
> if (unlikely(err < 0)) {
> vq_err(&nvq->vq, "Fail to batch sending packets\n");

2022-03-03 06:30:39

by patchwork-bot+netdevbpf

[permalink] [raw]
Subject: Re: [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg

Hello:

This patch was applied to netdev/net-next.git (master)
by Jakub Kicinski <[email protected]>:

On Thu, 3 Mar 2022 10:24:40 +0800 you wrote:
> In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
> tun_sendmsg. Although we donot use msg_controllen in this path, we should
> check msg_controllen to make sure the caller pass a valid msg_ctl.
>
> [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
>
> Reported-by: Eric Dumazet <[email protected]>
> Suggested-by: Jason Wang <[email protected]>
> Signed-off-by: Harold Huang <[email protected]>
>
> [...]

Here is the summary with links:
- [net-next] tuntap: add sanity checks about msg_controllen in sendmsg
https://git.kernel.org/netdev/net-next/c/74a335a07a17

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html