From: Alexei Starovoitov > Sent: 07 October 2022 22:55 .... > Not easy at all. > There is only way place in the whole kernel that does: > return sk_getsockopt(sk, SOL_SOCKET, optname, > KERNEL_SOCKPTR(optval), > KERNEL_SOCKPTR(optlen)); Until I add change my out of tree driver to work with the new code. (Although it actually needs to do a getsockopt into SCTP.) I didn't spot the change to sk_getsockopt() going though. But KERNEL_SOCKPTR() is really the wrong function/type for the length. It would be much safer to have a struct with two members, one an __user pointer and one a kernel pointer both to socklen_t. It isn't really ideal for the buffer pointer either. That started as a single field (assuming the caller has verified the user/kernel status), then the is_kernel field was added for architectures where user/kernel addresses use the same values. Then a horrid bug (forgotten where) forced the is_kernel field be used everywhere. Again a structure with two pointers would be much safer. Indeed the length could likely be included as well. That would even give scope for a short user buffer being copied into kernel memory while letting code that needs a long buffer (or ignores the length) still directly access userspace. I can't remember, but something makes me think that a lot of the 'not checking the length' setsockopt calls were in decnet - which has now been deleted. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
