From: Paul Moore <pmoore@xxxxxxxxxx> Date: Wed, 04 Jul 2018 09:58:05 -0400 > From: Paul Moore <paul@xxxxxxxxxxxxxx> > > At present the ipv6_renew_options_kern() function ends up calling into > access_ok() which is problematic if done from inside an interrupt as > access_ok() calls WARN_ON_IN_IRQ() on some (all?) architectures > (x86-64 is affected). Example warning/backtrace is shown below: > > WARNING: CPU: 1 PID: 3144 at lib/usercopy.c:11 _copy_from_user+0x85/0x90 ... > While not present in the backtrace, ipv6_renew_option() ends up calling > access_ok() via the following chain: > > access_ok() > _copy_from_user() > copy_from_user() > ipv6_renew_option() > > The fix presented in this patch is to perform the userspace copy > earlier in the call chain such that it is only called when the option > data is actually coming from userspace; that place is > do_ipv6_setsockopt(). Not only does this solve the problem seen in > the backtrace above, it also allows us to simplify the code quite a > bit by removing ipv6_renew_options_kern() completely. We also take > this opportunity to cleanup ipv6_renew_options()/ipv6_renew_option() > a small amount as well. > > This patch is heavily based on a rough patch by Al Viro. I've taken > his original patch, converted a kmemdup() call in do_ipv6_setsockopt() > to a memdup_user() call, made better use of the e_inval jump target in > the same function, and cleaned up the use ipv6_renew_option() by > ipv6_renew_options(). > > CC: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx> This looks good to me, applied to 'net'. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
