From: 'Marcelo Ricardo Leitner'
> Sent: 21 May 2020 01:17
> On Wed, May 20, 2020 at 03:08:13PM +0000, David Laight wrote:
> ...
> > Only SCTP_SOCKOPT_CONNECTX3 contains an indirect pointer.
> > It is also the only getsockopt() that wants to return a buffer
> > and an error code. It is also definitely abusing getsockopt().
> ...
> > @@ -1375,11 +1350,11 @@ struct compat_sctp_getaddrs_old {
> > #endif
> >
> > static int sctp_getsockopt_connectx3(struct sock *sk, int len,
> > - char __user *optval,
> > - int __user *optlen)
> > + struct sctp_getaddrs_old *param,
> > + int *optlen)
> > {
> > - struct sctp_getaddrs_old param;
> > sctp_assoc_t assoc_id = 0;
> > + struct sockaddr *addrs;
> > int err = 0;
> >
> > #ifdef CONFIG_COMPAT
..
> > } else
> > #endif
> > {
> > - if (len < sizeof(param))
> > + if (len < sizeof(*param))
> > return -EINVAL;
> > - if (copy_from_user(¶m, optval, sizeof(param)))
> > - return -EFAULT;
> > }
> >
> > - err = __sctp_setsockopt_connectx(sk, (struct sockaddr __user *)
> > - param.addrs, param.addr_num,
> > + addrs = memdup_user(param->addrs, param->addr_num);
>
> I'm staring at this for a while now but I don't get this memdup_user.
> AFAICT, params->addrs is not __user anymore here, because
> sctp_getsockopt() copied the whole thing already, no?
> Also weird because it is being called from kernel_sctp_getsockopt(),
> which now has no knowledge of __user buffers.
> Maybe I didn't get something from the patch description.
The connectx3 sockopt buffer contains a pointer to the user buffer
that contains the actual addresses.
So a second copy_from_user() is needed.
This does mean that this option can only be actioned from userspace.
Kernel code can get the same functionality using one of the
other interfaces to connectx().
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
