Patch "af_packet: avoid a false positive warning in packet_setsockopt()" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 21 Jun 2024 11:51:09 -0400

This is a note to let you know that I've just added the patch titled

    af_packet: avoid a false positive warning in packet_setsockopt()

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     af_packet-avoid-a-false-positive-warning-in-packet_s.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit f2958cea9d2d17d4e31b5e7d8db69b9479ea15c7
Author: Eric Dumazet <edumazet@xxxxxxxxxx>
Date:   Fri Apr 5 11:49:39 2024 +0000

    af_packet: avoid a false positive warning in packet_setsockopt()
    
    [ Upstream commit 86d43e2bf93ccac88ef71cee36a23282ebd9e427 ]
    
    Although the code is correct, the following line
    
            copy_from_sockptr(&req_u.req, optval, len));
    
    triggers this warning :
    
    memcpy: detected field-spanning write (size 28) of single field "dst" at include/linux/sockptr.h:49 (size 16)
    
    Refactor the code to be more explicit.
    
    Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
    Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Cc: Kees Cook <keescook@xxxxxxxxxxxx>
    Cc: Willem de Bruijn <willemdebruijn.kernel@xxxxxxxxx>
    Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
    Reviewed-by: Willem de Bruijn <willemb@xxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 8e52f09493053..9bec88fe35058 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3761,28 +3761,30 @@ packet_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval,
 	case PACKET_TX_RING:
 	{
 		union tpacket_req_u req_u;
-		int len;
 
+		ret = -EINVAL;
 		lock_sock(sk);
 		switch (po->tp_version) {
 		case TPACKET_V1:
 		case TPACKET_V2:
-			len = sizeof(req_u.req);
+			if (optlen < sizeof(req_u.req))
+				break;
+			ret = copy_from_sockptr(&req_u.req, optval,
+						sizeof(req_u.req)) ?
+						-EINVAL : 0;
 			break;
 		case TPACKET_V3:
 		default:
-			len = sizeof(req_u.req3);
+			if (optlen < sizeof(req_u.req3))
+				break;
+			ret = copy_from_sockptr(&req_u.req3, optval,
+						sizeof(req_u.req3)) ?
+						-EINVAL : 0;
 			break;
 		}
-		if (optlen < len) {
-			ret = -EINVAL;
-		} else {
-			if (copy_from_sockptr(&req_u.req, optval, len))
-				ret = -EFAULT;
-			else
-				ret = packet_set_ring(sk, &req_u, 0,
-						    optname == PACKET_TX_RING);
-		}
+		if (!ret)
+			ret = packet_set_ring(sk, &req_u, 0,
+					      optname == PACKET_TX_RING);
 		release_sock(sk);
 		return ret;
 	}







