On Mon, Mar 04, 2024 at 01:29:31PM -0800, Kees Cook wrote: > While testing for places where zero-sized destinations were still showing > up in the kernel, sock_copy() and inet_reqsk_clone() were found, which > are using very specific memcpy() offsets for both avoiding a portion of > struct sock, and copying beyond the end of it (since struct sock is really > just a common header before the protocol-specific allocation). Instead > of trying to unravel this historical lack of container_of(), just switch > to unsafe_memcpy(), since that's effectively what was happening already > (memcpy() wasn't checking 0-sized destinations while the code base was > being converted away from fake flexible arrays). > > Avoid the following false positive warning with future changes to > CONFIG_FORTIFY_SOURCE: > > memcpy: detected field-spanning write (size 3068) of destination > "&nsk->__sk_common.skc_dontcopy_end" at net/core/sock.c:2057 (size 0) > > Signed-off-by: Kees Cook <[email protected]> > --- > Cc: Jakub Kicinski <[email protected]> > Cc: "David S. Miller" <[email protected]> > Cc: Eric Dumazet <[email protected]> > Cc: Paolo Abeni <[email protected]> > Cc: [email protected] > v3: fix inet_reqsk_clone() comment > v2: https://lore.kernel.org/lkml/[email protected] > v1: https://lore.kernel.org/lkml/[email protected]
Reviewed-by: Simon Horman <[email protected]>
