Commit 00e74ae0 authored by Stanislav Fomichev's avatar Stanislav Fomichev Committed by Daniel Borkmann

bpf: Don't EFAULT for getsockopt with optval=NULL

Some socket options do getsockopt with optval=NULL to estimate the size
of the final buffer (which is returned via optlen). This breaks BPF
getsockopt assumptions about permitted optval buffer size. Let's enforce
these assumptions only when non-NULL optval is provided.

Fixes: 0d01da6a ("bpf: implement getsockopt and setsockopt hooks")
Reported-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: default avatarStanislav Fomichev <sdf@google.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/ZD7Js4fj5YyI2oLd@google.com/T/#mb68daf700f87a9244a15d01d00c3f0e5b08f49f7
Link: https://lore.kernel.org/bpf/20230418225343.553806-2-sdf@google.com
parent 02e93e04
...@@ -1921,14 +1921,17 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level, ...@@ -1921,14 +1921,17 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
if (ret < 0) if (ret < 0)
goto out; goto out;
if (ctx.optlen > max_optlen || ctx.optlen < 0) { if (optval && (ctx.optlen > max_optlen || ctx.optlen < 0)) {
ret = -EFAULT; ret = -EFAULT;
goto out; goto out;
} }
if (ctx.optlen != 0) { if (ctx.optlen != 0) {
if (copy_to_user(optval, ctx.optval, ctx.optlen) || if (optval && copy_to_user(optval, ctx.optval, ctx.optlen)) {
put_user(ctx.optlen, optlen)) { ret = -EFAULT;
goto out;
}
if (put_user(ctx.optlen, optlen)) {
ret = -EFAULT; ret = -EFAULT;
goto out; goto out;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment