Received: by 10.223.176.46 with SMTP id f43csp36147wra; Thu, 18 Jan 2018 13:33:09 -0800 (PST) X-Google-Smtp-Source: ACJfBovTFCcRccqALgMEiPdwtBwFBf5ZRx6C9P+0HL3/QcgpTDml+OjQ34zxVH4MWOHXaKdMVwil X-Received: by 2002:a17:902:b181:: with SMTP id s1-v6mr440009plr.93.1516311189761; Thu, 18 Jan 2018 13:33:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516311189; cv=none; d=google.com; s=arc-20160816; b=YgT2+LPhN4rQoVW6TWg9ChDPYhDkN/dd/+1nvV77RBOAWka3JK1K7ScwqHA2RMc8lv urh8tCwNLo9YvR13lhKO4eglEqQCf2IhFaT2xpMeY5DZKJ7kokZb1sM3lgiUjdDmGYDg vtNCYmQHlCvVzcOA3UsxCHH6vDEZfpj2ipQxdoXSXPwkkFoveMNLcJoKdSt6tTGmV/R0 yuyxxGiAZowf8w9R/PDfs24ejK9zF3p7L/N54iPb3rUQ9tRzV3Ycf2GIOOX20Joz5ZCc wr854u7raPgPSPmKW1GdqR+bv0ZjUG2OapaT+COjdj2R38eZdBpHrLyfsZSr3AI8KyMB aoeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=cZNJbnwbMuccfaYbdS/hpz9GNHk4HA0dDycOINHXl7s=; b=wxPAdNYvV3BAeuStFg0cmkbWxo0wKVNy8us/PVEMtqQ3UAz8Em4UEHrOO7KI9+OqP+ X7jLHq2pNJXJu6gEh3O3N36QzqW6iUvNJ5OwLZGy8UgQitwEBSpwZ1tLhn8hiWsRAzOq PG0/KwxRU3RGbFCPt7zYeeS6p9Us3aAKVmR73hRNXC490+ui045qZ/9BhNmF7vyy/yVb 5WuapeBd6BcKj8SoGuvPl4dJC/BJBrK+bMpYbn7YZx3Eje6ZlMM7wVSunVduDovyNbrQ mdNhhrZFwy6OiR6AQfAUSVY/OxFSRQByhAgriqQ5uyNid/67JTOGKyGZjlcBWeIf1RoS 7ZOg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e22si2988029pfl.178.2018.01.18.13.32.55; Thu, 18 Jan 2018 13:33:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755324AbeARVcA (ORCPT + 99 others); Thu, 18 Jan 2018 16:32:00 -0500 Received: from mail-ot0-f193.google.com ([74.125.82.193]:37658 "EHLO mail-ot0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755071AbeARVbw (ORCPT ); Thu, 18 Jan 2018 16:31:52 -0500 Received: by mail-ot0-f193.google.com with SMTP id a24so21412054otd.4 for ; Thu, 18 Jan 2018 13:31:52 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=cZNJbnwbMuccfaYbdS/hpz9GNHk4HA0dDycOINHXl7s=; b=E9wE0j82ysGk8V5x9STZln3KozKj+zcEWVTrEVTuPS7sq4hr0j9gwlhUZx+tctofVS cv+HlKh6h+Uwo4AdYqhrsbw872L5ux7XoPea+PKoGTYNIhd1WZGQQ4DIm83nJtypryfd A3/L2SFbWMFH6vxZc078I2E0IyD9pqhrcLsqxs8tlYEcnOyHQQKznTw69/gNjcQENZKw JLAdyPaJYMYQPB3FB87bme3zt5S43tuRDsy/DNgT+0kIQEw2F3CS9QNz16oVNRtCJYm3 HqXvPOuvr+yApeNgbBy9OybKX6Ca+YosXNggOevBaGDhQmqQlIiGQomwE1F4SiRjKKjw Vb0Q== X-Gm-Message-State: AKwxytdmuS8Cuyevtgk5pO/Wh6CA3Ty6jsJ5H/+/qLZ/PzKCxDrg4BpE kfbZAFBKX4u/xJf4SEemnqI+WQ== X-Received: by 10.157.46.181 with SMTP id w50mr4127040ota.215.1516311111606; Thu, 18 Jan 2018 13:31:51 -0800 (PST) Received: from ?IPv6:2601:602:9802:a8dc::89e6? ([2601:602:9802:a8dc::89e6]) by smtp.gmail.com with ESMTPSA id s11sm3828089ots.46.2018.01.18.13.31.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Jan 2018 13:31:50 -0800 (PST) Subject: Re: [PATCH 27/38] sctp: Copy struct sctp_sock.autoclose to userspace using put_user() To: Kees Cook , linux-kernel@vger.kernel.org Cc: David Windsor , Vlad Yasevich , Neil Horman , "David S. Miller" , linux-sctp@vger.kernel.org, netdev@vger.kernel.org, Linus Torvalds , Alexander Viro , Andrew Morton , Andy Lutomirski , Christoph Hellwig , Christoph Lameter , Mark Rutland , "Martin K. Petersen" , Paolo Bonzini , Christian Borntraeger , Christoffer Dall , Dave Kleikamp , Jan Kara , Luis de Bethencourt , Marc Zyngier , Rik van Riel , Matthew Garrett , linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com References: <1515636190-24061-1-git-send-email-keescook@chromium.org> <1515636190-24061-28-git-send-email-keescook@chromium.org> From: Laura Abbott Message-ID: <19a7add8-adaf-4ad4-6ae3-4a62967656b9@redhat.com> Date: Thu, 18 Jan 2018 13:31:42 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <1515636190-24061-28-git-send-email-keescook@chromium.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 01/10/2018 06:02 PM, Kees Cook wrote: > From: David Windsor > > The autoclose field can be copied with put_user(), so there is no need to > use copy_to_user(). In both cases, hardened usercopy is being bypassed > since the size is constant, and not open to runtime manipulation. > > This patch is verbatim from Brad Spengler/PaX Team's PAX_USERCOPY > whitelisting code in the last public patch of grsecurity/PaX based on my > understanding of the code. Changes or omissions from the original code are > mine and don't reflect the original grsecurity/PaX code. > Just tried a quick rebase and it looks like this conflicts with c76f97c99ae6 ("sctp: make use of pre-calculated len") I don't think we can use put_user if we're copying via the full len? Thanks, Laura > Signed-off-by: David Windsor > [kees: adjust commit log] > Cc: Vlad Yasevich > Cc: Neil Horman > Cc: "David S. Miller" > Cc: linux-sctp@vger.kernel.org > Cc: netdev@vger.kernel.org > Signed-off-by: Kees Cook > --- > net/sctp/socket.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/sctp/socket.c b/net/sctp/socket.c > index efbc8f52c531..15491491ec88 100644 > --- a/net/sctp/socket.c > +++ b/net/sctp/socket.c > @@ -5011,7 +5011,7 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv > len = sizeof(int); > if (put_user(len, optlen)) > return -EFAULT; > - if (copy_to_user(optval, &sctp_sk(sk)->autoclose, sizeof(int))) > + if (put_user(sctp_sk(sk)->autoclose, (int __user *)optval)) > return -EFAULT; > return 0; > } >