On Mon, Jan 10, 2022 at 11:07:08AM +0100, Pavel Machek wrote:
> Hi!
>
> > From: Christoph Hellwig <hch@xxxxxx>
> >
> > commit 3087a6f36ee028ec095c04a8531d7d33899b7fed upstream.
> >
> > This code used to copy in an unsigned long worth of data before
> > the sockptr_t conversion, so restore that.
>
> Maybe, but then the size checks need to be updated, too.
>
> > Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> > Signed-off-by: Christoph Hellwig <hch@xxxxxx>
> > Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> > ---
> > net/netrom/af_netrom.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > --- a/net/netrom/af_netrom.c
> > +++ b/net/netrom/af_netrom.c
> > @@ -306,7 +306,7 @@ static int nr_setsockopt(struct socket *
> > if (optlen < sizeof(unsigned int))
>
> This should be < sizeof(unsigned long)) ... AFAICT.
>
> > return -EINVAL;
Yeah. This patch isn't right. I sent a follow on that changes
everything to unsigned int. Originally it was:
if (get_user(opt, (unsigned int __user *)optval))
Which copies an unsigned int from the user into an unsigned long opt
variable.
My fix is required to fix an uninitialized data bug in a7b75c5a8c41
("net: pass a sockptr_t into ->setsockopt"). It would be sligthly more
complicated to just backport my fix without first backporting this one
and it would look sort of weird. So I think it's better to backport
this and then mine.
regards,
dan carpenter
