Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp863477ybi; Sat, 15 Jun 2019 13:33:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqwSZPe2sL3C6F0qD50WUNsP3bFLeIPwJLLc5RYQUo7AMqbhepELhp88dYJ7Veu/Rpje0E7w X-Received: by 2002:a17:902:2a68:: with SMTP id i95mr101451174plb.167.1560630807520; Sat, 15 Jun 2019 13:33:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560630807; cv=none; d=google.com; s=arc-20160816; b=HMeR58POVvaz6CC3gHKiem0ABIJqHOmUQu5kYBn+HXF8G+SD4veCt11pag93AUmsvJ +VVZKm/yqRf3CagWO94cdrVx0R04M66KFUsbBj2vtTb3gjm3UcMXh8yZ6SeRH5YwmJfR uZ1bPSrsYY0qrRx1Q3fg4gM1tflxMShD6qXkBuhs7fVxJ7TLUkFgElLgXprKXBvk5ERe SYCIjCV7IfTJaCgiafxDvTzDm3OD5eVH8AP27GWP/KZdVeaGtxAleTd1xeOQkQZB46nc hTMXnLzzcLnnOi335xwmSbCulJEaNm4VlorMKZyCS/cSH+kcO16fQS8gdZRZ/e69bA7v qhQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=QspLN7ReZsV+jp1UGJq/n+kY2eMY4ScXgLElsLoMRI8=; b=R96er0aDFo84Qp7Q8ob8vDKLW0uGMPhHiBf/zJ+ZInjfQEBKi9oBWEnC6wROvcsR61 Ua7PazA7K1qdfcMKh2Qlp5oeLEnVFaCPPwzI67ChkYoaBIgApgTD8oHX/bulBJ58+Jz+ SRXtqooJ3nsAYoyRtqilb8YWVgiavBqmxKJUoOu9tguIgmI1eT0oJqiWjK5WCivFwd2X 7iUntxNmzNBTdeedoyQY4jNlu9atdcO5NaA8dH3peohqOznmJokvHuk+BSKBrI7p1SSD JUmMRxWmS3vd1+3Mz1/d9JESsq8CS80t3lurverwcuux4F26vG0vaEU6fOQ8+vFjRXK3 a3Cg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u1si5937748plb.234.2019.06.15.13.32.45; Sat, 15 Jun 2019 13:33:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726890AbfFOUcm (ORCPT + 99 others); Sat, 15 Jun 2019 16:32:42 -0400 Received: from shards.monkeyblade.net ([23.128.96.9]:39354 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726490AbfFOUcm (ORCPT ); Sat, 15 Jun 2019 16:32:42 -0400 Received: from localhost (unknown [IPv6:2601:601:9f80:35cd::3d5]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id F126814EB8616; Sat, 15 Jun 2019 13:32:41 -0700 (PDT) Date: Sat, 15 Jun 2019 13:32:41 -0700 (PDT) Message-Id: <20190615.133241.1697724537695155418.davem@davemloft.net> To: houjingyi647@gmail.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] fix double-fetch bug in sock_getsockopt() From: David Miller In-Reply-To: <20190613104457.GA6296@hjy-HP-Notebook> References: <20190613104457.GA6296@hjy-HP-Notebook> X-Mailer: Mew version 6.8 on Emacs 26.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Sat, 15 Jun 2019 13:32:42 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: JingYi Hou Date: Thu, 13 Jun 2019 18:44:57 +0800 > In sock_getsockopt(), 'optlen' is fetched the first time from userspace. > 'len < 0' is then checked. Then in condition 'SO_MEMINFO', 'optlen' is > fetched the second time from userspace without check. > > if a malicious user can change it between two fetches may cause security > problems or unexpected behaivor. > > To fix this, we need to recheck it in the second fetch. > > Signed-off-by: JingYi Hou THere is no reason to fetch len a second time, so please just remove the get_user() call here instead. Also, please format your Subject line properly with appropriate subsystem prefixes etc.