net: improve the user pointer check in init_user_sockptr

Make sure not just the pointer itself but the whole range lies in
the user address space.  For that pass the length and then use
the access_ok helper to do the check.

Fixes: 6d04fe15f78a ("net: optimize the sockptr_t for unified kernel/user address spaces")
Reported-by: David Laight <David.Laight@ACULAB.COM>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/linux/sockptr.h b/include/linux/sockptr.h
index 9e6c81d..96840de 100644 (file)
--- a/include/linux/sockptr.h
+++ b/include/linux/sockptr.h
@@ -27,14 +27,6 @@ static inline sockptr_t KERNEL_SOCKPTR(void *p)
 {
        return (sockptr_t) { .kernel = p };
 }
-
-static inline int __must_check init_user_sockptr(sockptr_t *sp, void __user *p)
-{
-       if ((unsigned long)p >= TASK_SIZE)
-               return -EFAULT;
-       sp->user = p;
-       return 0;
-}
 #else /* CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE */
 typedef struct {
        union {
@@ -53,14 +45,16 @@ static inline sockptr_t KERNEL_SOCKPTR(void *p)
 {
        return (sockptr_t) { .kernel = p, .is_kernel = true };
 }
+#endif /* CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE */
 
-static inline int __must_check init_user_sockptr(sockptr_t *sp, void __user *p)
+static inline int __must_check init_user_sockptr(sockptr_t *sp, void __user *p,
+               size_t size)
 {
-       sp->user = p;
-       sp->is_kernel = false;
+       if (!access_ok(p, size))
+               return -EFAULT;
+       *sp = (sockptr_t) { .user = p };
        return 0;
 }
-#endif /* CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE */
 
 static inline bool sockptr_is_null(sockptr_t sockptr)
 {

diff --git a/net/ipv4/bpfilter/sockopt.c b/net/ipv4/bpfilter/sockopt.c
index 94f18d2..545b264 100644 (file)
--- a/net/ipv4/bpfilter/sockopt.c
+++ b/net/ipv4/bpfilter/sockopt.c
@@ -65,7 +65,7 @@ int bpfilter_ip_get_sockopt(struct sock *sk, int optname,
 
        if (get_user(len, optlen))
                return -EFAULT;
-       err = init_user_sockptr(&optval, user_optval);
+       err = init_user_sockptr(&optval, user_optval, len);
        if (err)
                return err;
        return bpfilter_mbox_request(sk, optname, optval, len, false);

diff --git a/net/socket.c b/net/socket.c
index 94ca454..aff52e8 100644 (file)
--- a/net/socket.c
+++ b/net/socket.c
@@ -2105,7 +2105,7 @@ int __sys_setsockopt(int fd, int level, int optname, char __user *user_optval,
        if (optlen < 0)
                return -EINVAL;
 
-       err = init_user_sockptr(&optval, user_optval);
+       err = init_user_sockptr(&optval, user_optval, optlen);
        if (err)
                return err;