Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp1128028ybp;
        Wed, 9 Oct 2019 09:10:36 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwibsZnq6c5hHL8gtjFoY2L2WYyMPlFiiivQCFSQhrqeV8JtineiD1Ve4CgE2lZ62e45LVy
X-Received: by 2002:a50:ab10:: with SMTP id s16mr3651253edc.118.1570637436822;
        Wed, 09 Oct 2019 09:10:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570637436; cv=none;
        d=google.com; s=arc-20160816;
        b=ROQc7Tas9RPy2sZq5aeqDmU75n8LizvnWGEzz4neWMYP8onaC5ERjnspJDmKCP1lLD
         h/ZR4Osl5pIKf1qyQ6oKnb1MBK3QKT0/8/UzF2kmveSUGSnLQbWhyTJIYDzvMKlQAJtK
         2OcVg67Kp2Si5I7WvLjsNDxJECj3Gu/I1IRGgJbEBku1LKOBkZFUVKtpXe9v5Tr+F9j8
         Dsf1tVkMIJtPzm+LroRI0e8fLhaXke7KsPRjgVSjN10c9rFqLsn+vl2GFd8Pd0xCxXbZ
         MrEA2ZWEkvl3yBx3Z/efVUJw7kMRX8D+TkK9u42dTF49QYN81HFtfy0WI6qNoHWea55V
         Q0yQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=yJLe1o/gTYy2j8DDsJf493ZDSn86SJPUNBjE3tyLsic=;
        b=uN8qn9GFtmgdenpTXvl7SmFEK4Yx64xB04YT7+O+OEWoqzFCLQonPf55+oTTt7laU2
         MmZrHU8k9tqDuLqLC/ieLWQ8sio+6weE+SIA/6kEPNgQOgCMIxek9idhMAli6CF/bJBw
         L+oCMN2OdxLbDQBL1d0ktVtcQu/4bdRd4cqrHcgmXdy+b7C1l6SWEN6Tt0ymzVSKIkko
         flQIdp/mp/UZoISIyFj+UaK1anbLMj6WNSLgI79DvHhvOX02iL3x7DYGQmAbUY0FTw/M
         rcEeO0WrM8+JL8EVtkY4oZwCUag6AEpH2i834INnNNbyX3Rj2KT+KbLB1tdC6VgLz3op
         w33w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 2si1444006ejq.243.2019.10.09.09.10.12;
        Wed, 09 Oct 2019 09:10:36 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731788AbfJIQJc (ORCPT <rfc822;xqjcool@gmail.com> + 99 others);
        Wed, 9 Oct 2019 12:09:32 -0400
Received: from youngberry.canonical.com ([91.189.89.112]:41924 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1731686AbfJIQJQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 9 Oct 2019 12:09:16 -0400
Received: from [213.220.153.21] (helo=localhost.localdomain)
        by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.86_2)
        (envelope-from <christian.brauner@ubuntu.com>)
        id 1iIEWX-00034Q-U1; Wed, 09 Oct 2019 16:09:13 +0000
From:   Christian Brauner <christian.brauner@ubuntu.com>
To:     Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>, bpf@vger.kernel.org
Cc:     Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
        Yonghong Song <yhs@fb.com>, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        Christian Brauner <christian.brauner@ubuntu.com>
Subject: [PATCH 3/3] bpf: use copy_struct_from_user() in bpf() syscall
Date:   Wed,  9 Oct 2019 18:09:07 +0200
Message-Id: <20191009160907.10981-4-christian.brauner@ubuntu.com>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20191009160907.10981-1-christian.brauner@ubuntu.com>
References: <20191009160907.10981-1-christian.brauner@ubuntu.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In v5.4-rc2 we added a new helper (cf. [1]) copy_struct_from_user().
This helper is intended for all codepaths that copy structs from
userspace that are versioned by size. The bpf() syscall does exactly
what copy_struct_from_user() is doing.
Note that copy_struct_from_user() is calling min() already. So
technically, the min_t() call could go. But the size is used further
below so leave it.

[1]: f5a1a536fa14 ("lib: introduce copy_struct_from_user() helper")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 kernel/bpf/syscall.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 6f4f9097b1fe..6fdcbdb27501 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2819,14 +2819,11 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
 	if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
-	err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
-	if (err)
-		return err;
 	size = min_t(u32, size, sizeof(attr));
-
 	/* copy attributes from user space, may be less than sizeof(bpf_attr) */
-	if (copy_from_user(&attr, uattr, size) != 0)
-		return -EFAULT;
+	err = copy_struct_from_user(&attr, sizeof(attr), uattr, size);
+	if (err)
+		return err;
 
 	err = security_bpf(cmd, &attr, size);
 	if (err < 0)
-- 
2.23.0