Re: [PATCH v3] sock: Use unsafe_memcpy() for sock_copy()
From: Simon Horman
Date: Tue Mar 05 2024 - 08:23:42 EST
On Mon, Mar 04, 2024 at 01:29:31PM -0800, Kees Cook wrote:
> While testing for places where zero-sized destinations were still showing
> up in the kernel, sock_copy() and inet_reqsk_clone() were found, which
> are using very specific memcpy() offsets for both avoiding a portion of
> struct sock, and copying beyond the end of it (since struct sock is really
> just a common header before the protocol-specific allocation). Instead
> of trying to unravel this historical lack of container_of(), just switch
> to unsafe_memcpy(), since that's effectively what was happening already
> (memcpy() wasn't checking 0-sized destinations while the code base was
> being converted away from fake flexible arrays).
>
> Avoid the following false positive warning with future changes to
> CONFIG_FORTIFY_SOURCE:
>
> memcpy: detected field-spanning write (size 3068) of destination "&nsk->__sk_common.skc_dontcopy_end" at net/core/sock.c:2057 (size 0)
>
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
> ---
> Cc: Jakub Kicinski <kuba@xxxxxxxxxx>
> Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
> Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
> Cc: Paolo Abeni <pabeni@xxxxxxxxxx>
> Cc: netdev@xxxxxxxxxxxxxxx
> v3: fix inet_reqsk_clone() comment
> v2: https://lore.kernel.org/lkml/20240216232220.it.450-kees@xxxxxxxxxx
> v1: https://lore.kernel.org/lkml/20240216204423.work.066-kees@xxxxxxxxxx
Reviewed-by: Simon Horman <horms@xxxxxxxxxx>