summaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
authorStanislav Fomichev <sdf@google.com>2023-04-18 15:53:38 -0700
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2023-05-11 23:17:22 +0900
commit83781c60017c3e219cea6cca0141823ae6dbd050 (patch)
treeaf93c642432d0a2152ee4c848558708c069c9972 /kernel
parent642b7bbc5a6569e85005d867fa315ccb91056377 (diff)
downloadlinux-stable-83781c60017c3e219cea6cca0141823ae6dbd050.tar.gz
linux-stable-83781c60017c3e219cea6cca0141823ae6dbd050.tar.bz2
linux-stable-83781c60017c3e219cea6cca0141823ae6dbd050.zip
bpf: Don't EFAULT for getsockopt with optval=NULL
[ Upstream commit 00e74ae0863827d944e36e56a4ce1e77e50edb91 ] Some socket options do getsockopt with optval=NULL to estimate the size of the final buffer (which is returned via optlen). This breaks BPF getsockopt assumptions about permitted optval buffer size. Let's enforce these assumptions only when non-NULL optval is provided. Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") Reported-by: Martin KaFai Lau <martin.lau@kernel.org> Signed-off-by: Stanislav Fomichev <sdf@google.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/ZD7Js4fj5YyI2oLd@google.com/T/#mb68daf700f87a9244a15d01d00c3f0e5b08f49f7 Link: https://lore.kernel.org/bpf/20230418225343.553806-2-sdf@google.com Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'kernel')
-rw-r--r--kernel/bpf/cgroup.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index bf2fdb33fb31..819f011f0a9c 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -1921,14 +1921,17 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
if (ret < 0)
goto out;
- if (ctx.optlen > max_optlen || ctx.optlen < 0) {
+ if (optval && (ctx.optlen > max_optlen || ctx.optlen < 0)) {
ret = -EFAULT;
goto out;
}
if (ctx.optlen != 0) {
- if (copy_to_user(optval, ctx.optval, ctx.optlen) ||
- put_user(ctx.optlen, optlen)) {
+ if (optval && copy_to_user(optval, ctx.optval, ctx.optlen)) {
+ ret = -EFAULT;
+ goto out;
+ }
+ if (put_user(ctx.optlen, optlen)) {
ret = -EFAULT;
goto out;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-28 05:29:44 +0000