git.kernel.dk Git - linux-2.6-block.git/commit

author	Kees Cook <keescook@chromium.org>
	Mon, 4 Mar 2024 21:29:31 +0000 (13:29 -0800)
committer	Jakub Kicinski <kuba@kernel.org>
	Wed, 6 Mar 2024 02:35:12 +0000 (18:35 -0800)
commit	ff73f8344e58e7557819f92c88f289ffa6116be7
tree	fbd4c36c8575882d60e06ea46aaf204c8b236ce5	tree \| snapshot
parent	4166204d7ec26aee3d1f26847e88e4e41841fbe3	commit \| diff

sock: Use unsafe_memcpy() for sock_copy()

While testing for places where zero-sized destinations were still showing
up in the kernel, sock_copy() and inet_reqsk_clone() were found, which
are using very specific memcpy() offsets for both avoiding a portion of
struct sock, and copying beyond the end of it (since struct sock is really
just a common header before the protocol-specific allocation). Instead
of trying to unravel this historical lack of container_of(), just switch
to unsafe_memcpy(), since that's effectively what was happening already
(memcpy() wasn't checking 0-sized destinations while the code base was
being converted away from fake flexible arrays).

Avoid the following false positive warning with future changes to
CONFIG_FORTIFY_SOURCE:

memcpy: detected field-spanning write (size 3068) of destination "&nsk->__sk_common.skc_dontcopy_end" at net/core/sock.c:2057 (size 0)

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240304212928.make.772-kees@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

net/core/sock.c		diff \| blob \| blame \| history
net/ipv4/inet_connection_sock.c		diff \| blob \| blame \| history