Re: [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int)

From: Eric Dumazet
Date: Tue Apr 09 2024 - 10:18:13 EST


On Tue, Apr 9, 2024 at 4:02 PM Edward Adam Davis <eadavis@xxxxxx> wrote:
>
> On Tue, 9 Apr 2024 15:07:41 +0200, Eric Dumazet wrote:
> > > The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in
> > > only 2 bytes being allocated when allocating memory to kernel_optval, and the
> > > optval size passed when calling the function copy_from_sockptr() is 4 bytes.
> > > Here, optlen is determined uniformly in the entry function __sys_setsockopt().
> > > If its value is less than 4, the parameter is considered invalid.
> > >
> > > Reported-by: syzbot+837ba09d9db969068367@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > Reported-by: syzbot+b71011ec0a23f4d15625@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > Reported-by: syzbot+d4ecae01a53fd9b42e7d@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> >
> >
> > I think I gave my feedback already.
> >
> > Please do not ignore maintainers feedback.
> >
> > This patch is absolutely wrong.
> >
> > Some setsockopt() deal with optlen == 1 just fine, thank you very much.
> It's better to use evidence to support your claim, rather than your "maintainer" title.

I will answer since you ask so nicely,
but if you plan sending linux kernel patches, I suggest you look in
the source code.

Look at do_ip_setsockopt(), which is one of the most used setsockopt()
in the world.

The code is at least 20 years old.

It even supports optlen == 0

if (optlen >= sizeof(int)) {
if (copy_from_sockptr(&val, optval, sizeof(val)))
return -EFAULT;
} else if (optlen >= sizeof(char)) {
unsigned char ucval;

if (copy_from_sockptr(&ucval, optval, sizeof(ucval)))
return -EFAULT;
val = (int) ucval;
}
}

/* If optlen==0, it is equivalent to val == 0 */