From: Eric Dumazet > Sent: 06 August 2020 23:21 > > On 7/22/20 11:09 PM, Christoph Hellwig wrote: > > Rework the remaining setsockopt code to pass a sockptr_t instead of a > > plain user pointer. This removes the last remaining set_fs(KERNEL_DS) > > outside of architecture specific code. > > > > Signed-off-by: Christoph Hellwig <hch@xxxxxx> > > Acked-by: Stefan Schmidt <stefan@xxxxxxxxxxxxxxxxxx> [ieee802154] > > --- > > > ... > > > diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c > > index 594e01ad670aa6..874f01cd7aec42 100644 > > --- a/net/ipv6/raw.c > > +++ b/net/ipv6/raw.c > > @@ -972,13 +972,13 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) > > } > > > > ... > > > static int do_rawv6_setsockopt(struct sock *sk, int level, int optname, > > - char __user *optval, unsigned int optlen) > > + sockptr_t optval, unsigned int optlen) > > { > > struct raw6_sock *rp = raw6_sk(sk); > > int val; > > > > - if (get_user(val, (int __user *)optval)) > > + if (copy_from_sockptr(&val, optval, sizeof(val))) > > return -EFAULT; > > > > converting get_user(...) to copy_from_sockptr(...) really assumed the optlen > has been validated to be >= sizeof(int) earlier. > > Which is not always the case, for example here. > > User application can fool us passing optlen=0, and a user pointer of exactly TASK_SIZE-1 Won't the user pointer force copy_from_sockptr() to call copy_from_user() which will then do access_ok() on the entire range and so return -EFAULT. The only problems arise if the kernel code adds an offset to the user address. And the later patch added an offset to the copy functions. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)