From patchwork Thu Jan 11 02:02:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10156611 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 81C7D605BA for ; Thu, 11 Jan 2018 02:13:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 683E72874B for ; Thu, 11 Jan 2018 02:13:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5CAAC2874F; Thu, 11 Jan 2018 02:13:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.4 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID, URIBL_BLACK autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 593632874B for ; Thu, 11 Jan 2018 02:13:13 +0000 (UTC) Received: (qmail 30004 invoked by uid 550); 11 Jan 2018 02:10:10 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 28622 invoked from network); 11 Jan 2018 02:09:55 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=DEx66seWax9cOAUQfqNGAdG59u+63cMY7cENNNmbTLc=; b=OIFSzACzaj6Dsau1eKwHM5e0hMhjAWMg4la+8Hhh+Ln0+QvAg/gf8KSaK3d9Y1+01K w/EFP2F3gKrOTdrjBkwlOjjvVFuA00VIe5+PR0dXAb9zJ0Lx9ZzVPqgCim/0SPo8cySR SoCMN7JwM6AtiZJkbLJBTvIVm3eyI8nWxCWKs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=DEx66seWax9cOAUQfqNGAdG59u+63cMY7cENNNmbTLc=; b=WAue1SONoy57fwWMI6oPit1/KkJbtxSBrOvNkMemVL6xgBTj9YiDmf/vlUR55Y5VI4 t7PMBjMtd+P0KEu5F11PIkaIdESx1Dviqc9bvWV932DA3tc9teKdBg7n2fAHGqS2ctxt 540Y7r7unDbYs4GdiZNw3qQ/C+MpS2O+UPVThi1XsR294L11v+NhGVp+X4pNXjLRB8EI XZ5b1zA5SmtE03rMiPMcAK4KpZe8KGVcUgv6DOllFaGWni16WTkH8lsfP7UMibeeQxzo nX7R7CEo2g3wtOTkkNtzWqcWaeiADqur7EnfpKfk+Z1i2NyYDqX3q9UwulpKlQLbAMT8 JMuA== X-Gm-Message-State: AKGB3mITn0hLm02mytNhz6O4+KlBQFPhgDXUuB0L9d/+1S7GN+Ta+YTH 6I/BvNUrq5Nk1Kd1FP1ecCBkRg== X-Google-Smtp-Source: ACJfBotkyhscTlAP4jyhh1fNPt0ew9XKMuIe9KfT1G8xTMw4YRMbicgUcTilEhcputnwNSFLSazMBg== X-Received: by 10.98.200.153 with SMTP id i25mr13459264pfk.241.1515636584073; Wed, 10 Jan 2018 18:09:44 -0800 (PST) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , David Windsor , Vlad Yasevich , Neil Horman , "David S. Miller" , linux-sctp@vger.kernel.org, netdev@vger.kernel.org, Linus Torvalds , Alexander Viro , Andrew Morton , Andy Lutomirski , Christoph Hellwig , Christoph Lameter , Laura Abbott , Mark Rutland , "Martin K. Petersen" , Paolo Bonzini , Christian Borntraeger , Christoffer Dall , Dave Kleikamp , Jan Kara , Luis de Bethencourt , Marc Zyngier , Rik van Riel , Matthew Garrett , linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com Date: Wed, 10 Jan 2018 18:02:59 -0800 Message-Id: <1515636190-24061-28-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1515636190-24061-1-git-send-email-keescook@chromium.org> References: <1515636190-24061-1-git-send-email-keescook@chromium.org> Subject: [kernel-hardening] [PATCH 27/38] sctp: Copy struct sctp_sock.autoclose to userspace using put_user() X-Virus-Scanned: ClamAV using ClamSMTP From: David Windsor The autoclose field can be copied with put_user(), so there is no need to use copy_to_user(). In both cases, hardened usercopy is being bypassed since the size is constant, and not open to runtime manipulation. This patch is verbatim from Brad Spengler/PaX Team's PAX_USERCOPY whitelisting code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. Signed-off-by: David Windsor [kees: adjust commit log] Cc: Vlad Yasevich Cc: Neil Horman Cc: "David S. Miller" Cc: linux-sctp@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- net/sctp/socket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index efbc8f52c531..15491491ec88 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -5011,7 +5011,7 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv len = sizeof(int); if (put_user(len, optlen)) return -EFAULT; - if (copy_to_user(optval, &sctp_sk(sk)->autoclose, sizeof(int))) + if (put_user(sctp_sk(sk)->autoclose, (int __user *)optval)) return -EFAULT; return 0; }