Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp713543pxb; Thu, 26 Aug 2021 12:48:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJygg+W/M4p0IvM5MX+QGy5UyssBiPuoDOx7WHtXFuMZaT33enMEfhoCEPjOdhJkUsEs66rR X-Received: by 2002:a05:6402:40d4:: with SMTP id z20mr5800538edb.314.1630007298739; Thu, 26 Aug 2021 12:48:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630007298; cv=none; d=google.com; s=arc-20160816; b=rq0tYnNXRRdLfsLPxSty8Pvf4U52lduQOTWYXIrAXQZzqS/Uhe/RyPc1Z8VC8ObyDQ efh5jsCn34uHQLwtx4GdoxfKX4qgyAUlkvg2st91RZC+eh8E8W9Ebn5Jsw9WvCgVeiF9 S2EaJE6IzYwgOn+4IjufZ7rJ/AZoDbj24+eZ2savVDvH6FvblXb6ZfJ6kBKiNbZIbCD+ 1uVtL1Cw+CiSCs8Gyn6Df0Xl+vB2UmIrXQweUywINLD7Qv6xAsi4GXcDjf7lMdfGNnvg rK8fH9uBBdXzhXFW4s/Preq1dJltAdvE4yYgehC+urYY/SDuFA4rSnC7nml4E/6DzJQV lE9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=IokDP2HWe55ZjXE7xtTpkpiTxzH9+5nmAT7GHdxH8j0=; b=Q2tL97ciy6QpqGDE8kovXN7/k7BFf1JRQ8mUvkuHAYAfvOIrvFLWb1lhwVmKMGRFsZ kKBv5E4ctfJDGuLgbaeTHqEig27tZRVmsnhlk7vZi2zxBAkMCqsn5SmYPQbBzEeq+ZRS kodgW2dANhUvhdmXTs2gc+5dKqM+ayTSr15SiDbg800Gwx+52qeNu1QoClYbxnsIgnTf 552pWQykc4hiDUNeDqIv8yTjJP6trQyiHAdlAGUD9lhQVdRssc3VN3/xC0zrI5HqcBNw xPYjhkIU10a5+EohuQbr43ULwkX9b1uxL6+nT7G4s9OvjIZSWgYLUh82yoJ4ixaLlD1n 5JoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EDhyloED; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k5si4020373edr.133.2021.08.26.12.47.52; Thu, 26 Aug 2021 12:48:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EDhyloED; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243454AbhHZTrP (ORCPT + 99 others); Thu, 26 Aug 2021 15:47:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49036 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230307AbhHZTrP (ORCPT ); Thu, 26 Aug 2021 15:47:15 -0400 Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8A6D8C061757 for ; Thu, 26 Aug 2021 12:46:27 -0700 (PDT) Received: by mail-io1-xd29.google.com with SMTP id e186so5187178iof.12 for ; Thu, 26 Aug 2021 12:46:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IokDP2HWe55ZjXE7xtTpkpiTxzH9+5nmAT7GHdxH8j0=; b=EDhyloEDMIWXQ6jhn7tD6RpuUdcxtDUO/uMYJHOWezoifS7LUqd8Aa0p1Ylx35kqOW v93m8vH0UPd8OwluQPWFl9OHbI/E9v9m7Y1QFII/pTPOgn8ydKu94HgYW4O4UltWQmFf VHzJadJC2OqM1feWPQnf8DLKzTz3W0s1lNXmQDGNpwnBOt/9YLD7WTIVSkjyhjzAu2YY 373dauNPcUBYzpxR+gc1QzZOQerEf51Gf+0p+zLT571QQkEcFKMC5ccBKZHgU+QadY7V 8EbpBmgAEnn6qA2DQGp/mBEit5QXfEvHyF4j6IjRLWSpFGhlh34R29jKMlDsNPTLBWn5 sIRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IokDP2HWe55ZjXE7xtTpkpiTxzH9+5nmAT7GHdxH8j0=; b=SZzo9Bt42oJRDtmgDFzJ6TxMKI1osvkbd8pNh50e9FTDT/FfV7mYCshFR9OG392B42 gwydT2172LzIv+OH1r3eUF/FFpFwndSFQuw2YtvZ8CAf3X5S9U+q+cq+X5a+VrfxulxX 7LMoANhQqaMN1D88tJQY1ZcYrAA+0Uqx8FN4H4o7p1W8/7pBZUFcNFnL0z9Tm50xWCdg FzUXTKV+vKC+W3ENd/94rYUQNwNiZ5wNHgqBcKH15Dq2voXuqStSOtZ3UvjKUOzjSYcm zss7jBaqCR9vrQSVDqKYxMXm1vmL5ms7SCFgOpW2uuvRWuxbwWJA5pEqL4XN+J/+cPvA 5O9A== X-Gm-Message-State: AOAM532jFHqFhSkhOXlq2nICuj16AmdGTyg4KXB1fMF0IsO8WZ1o2dbU 0MfyuptdHYP1W/1Q1T+ARtnpIxqrum0HX4qySqzpGw== X-Received: by 2002:a02:708f:: with SMTP id f137mr4853755jac.68.1630007186815; Thu, 26 Aug 2021 12:46:26 -0700 (PDT) MIME-Version: 1.0 References: <20210826012722.3210359-1-pcc@google.com> In-Reply-To: From: Peter Collingbourne Date: Thu, 26 Aug 2021 12:46:15 -0700 Message-ID: Subject: Re: [PATCH] net: don't unconditionally copy_from_user a struct ifreq for socket ioctls To: Greg KH Cc: "David S. Miller" , Jakub Kicinski , Colin Ian King , Cong Wang , Al Viro , netdev@vger.kernel.org, Linux Kernel Mailing List , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 25, 2021 at 11:39 PM Greg KH wrote: > > On Wed, Aug 25, 2021 at 06:27:22PM -0700, Peter Collingbourne wrote: > > A common implementation of isatty(3) involves calling a ioctl passing > > a dummy struct argument and checking whether the syscall failed -- > > bionic and glibc use TCGETS (passing a struct termios), and musl uses > > TIOCGWINSZ (passing a struct winsize). If the FD is a socket, we will > > copy sizeof(struct ifreq) bytes of data from the argument and return > > -EFAULT if that fails. The result is that the isatty implementations > > may return a non-POSIX-compliant value in errno in the case where part > > of the dummy struct argument is inaccessible, as both struct termios > > and struct winsize are smaller than struct ifreq (at least on arm64). > > > > Although there is usually enough stack space following the argument > > on the stack that this did not present a practical problem up to now, > > with MTE stack instrumentation it's more likely for the copy to fail, > > as the memory following the struct may have a different tag. > > > > Fix the problem by adding an early check for whether the ioctl is a > > valid socket ioctl, and return -ENOTTY if it isn't. > > > > Fixes: 44c02a2c3dc5 ("dev_ioctl(): move copyin/copyout to callers") > > Link: https://linux-review.googlesource.com/id/I869da6cf6daabc3e4b7b82ac979683ba05e27d4d > > Signed-off-by: Peter Collingbourne > > Cc: # 4.19 > > --- > > include/linux/netdevice.h | 1 + > > net/core/dev_ioctl.c | 64 ++++++++++++++++++++++++++++++++------- > > net/socket.c | 6 +++- > > 3 files changed, 59 insertions(+), 12 deletions(-) > > > > diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h > > index eaf5bb008aa9..481b90ef0d32 100644 > > --- a/include/linux/netdevice.h > > +++ b/include/linux/netdevice.h > > @@ -4012,6 +4012,7 @@ int netdev_rx_handler_register(struct net_device *dev, > > void netdev_rx_handler_unregister(struct net_device *dev); > > > > bool dev_valid_name(const char *name); > > +bool is_dev_ioctl_cmd(unsigned int cmd); > > "is_socket_ioctl_cmd()" might be a better global name here. SGTM, done in v2. Peter