Re: [PATCH 2/5] sockptr: fix usize check in copy_struct_from_sockptr() for user pointers

From: Aleksa Sarai

Date: Thu Apr 09 2026 - 02:39:31 EST

On 2026-04-09, Aleksa Sarai <cyphar@xxxxxxxxxx> wrote:
> On 2026-04-07, Stefan Metzmacher <metze@xxxxxxxxx> wrote:
> > copy_struct_from_user will never hit the check_zeroed_user() call
> > and will never return -E2BIG if new userspace passed new bits in a
> > larger structure than the current kernel structure.
> >
> > As far as I can there are no critical/related uapi changes in
> >
> > - include/net/bluetooth/bluetooth.h and net/bluetooth/sco.c
> > after the use of copy_struct_from_sockptr in v6.13-rc3
> > - include/uapi/linux/tcp.h and net/ipv4/tcp_ao.c
> > after the use of copy_struct_from_sockptr in v6.6-rc1
> >
> > So that new callers will get the correct behavior from the start.
> >
> > Fixes: 4954f17ddefc ("net/tcp: Introduce TCP_AO setsockopt()s")
> > Fixes: ef84703a911f ("net/tcp: Add TCP-AO getsockopt()s")
> > Fixes: faadfaba5e01 ("net/tcp: Add TCP_AO_REPAIR")
> > Fixes: 3e643e4efa1e ("Bluetooth: Improve setsockopt() handling of malformed user input")
> > Cc: Dmitry Safonov <0x7f454c46@xxxxxxxxx>
> > Cc: Dmitry Safonov <dima@xxxxxxxxxx>
> > Cc: Francesco Ruggeri <fruggeri@xxxxxxxxxx>
> > Cc: Salam Noureddine <noureddine@xxxxxxxxxx>
> > Cc: David Ahern <dsahern@xxxxxxxxxx>
> > Cc: David S. Miller <davem@xxxxxxxxxxxxx>
> > Cc: Michal Luczaj <mhal@xxxxxxx>
> > Cc: David Wei <dw@xxxxxxxxxxx>
> > Cc: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
> > Cc: Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx>
> > Cc: Marcel Holtmann <marcel@xxxxxxxxxxxx>
> > Cc: Xin Long <lucien.xin@xxxxxxxxx>
> > Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
> > Cc: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
> > Cc: Paolo Abeni <pabeni@xxxxxxxxxx>
> > Cc: Willem de Bruijn <willemb@xxxxxxxxxx>
> > Cc: Neal Cardwell <ncardwell@xxxxxxxxxx>
> > Cc: Jakub Kicinski <kuba@xxxxxxxxxx>
> > Cc: Simon Horman <horms@xxxxxxxxxx>
> > Cc: Aleksa Sarai <cyphar@xxxxxxxxxx>
> > Cc: Christian Brauner <brauner@xxxxxxxxxx>
> > CC: Kees Cook <keescook@xxxxxxxxxxxx>
> > Cc: netdev@xxxxxxxxxxxxxxx
> > Cc: linux-bluetooth@xxxxxxxxxxxxxxx
> > Cc: linux-kernel@xxxxxxxxxxxxxxx
> > Signed-off-by: Stefan Metzmacher <metze@xxxxxxxxx>
> > ---
> > include/linux/sockptr.h | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/include/linux/sockptr.h b/include/linux/sockptr.h
> > index 3e6c8e9d67ae..ba88f4d78c1b 100644
> > --- a/include/linux/sockptr.h
> > +++ b/include/linux/sockptr.h
> > @@ -91,7 +91,7 @@ static inline int copy_struct_from_sockptr(void *dst, size_t ksize,
> > size_t rest = max(ksize, usize) - size;
> >
> > if (!sockptr_is_kernel(src))
> > - return copy_struct_from_user(dst, ksize, src.user, size);
> > + return copy_struct_from_user(dst, ksize, src.user, usize);
> >
> > if (usize < ksize) {
> > memset(dst + size, 0, rest);
>
> It is a little weird that this function open-codes memchr_inv() --
> check_zeroed_sockptr() exists and does the right thing. Maybe it'd be
> nice to fix that too?

Ah my bad, I didn't see that you already fixed this in patch #4.

> In any case,
>
> Reviewed-by: Aleksa Sarai <aleksa@xxxxxxxxxxxx>

--
Aleksa Sarai
https://www.cyphar.com/

Attachment: signature.asc
Description: PGP signature