Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 907a380e authored Sep 21, 2023 by Jordan Rife Committed by Greg Kroah-Hartman Oct 25, 2023

net: prevent address rewrite in kernel_bind()

commit c889a99a21bf124c3db08d09df919f0eccc5ea4c upstream.

Similar to the change in commit 0bdf399342c5("net: Avoid address
overwrite in kernel_connect"), BPF hooks run on bind may rewrite the
address passed to kernel_bind(). This change

1) Makes a copy of the bind address in kernel_bind() to insulate
   callers.
2) Replaces direct calls to sock->ops->bind() in net with kernel_bind()

Link: https://lore.kernel.org/netdev/20230912013332.2048422-1-jrife@google.com/


Fixes: 4fbac77d ("bpf: Hooks for sys_bind")
Cc: stable@vger.kernel.org
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Jordan Rife <jrife@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 061a1823

net/netfilter/ipvs/ip_vs_sync.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -1444,7 +1444,7 @@ static int bind_mcastif_addr(struct socket sock, struct net_device dev)
		sin.sin_addr.s_addr = addr;
		sin.sin_port = 0;

		return sock->ops->bind(sock, (struct sockaddr*)&sin, sizeof(sin));
		return kernel_bind(sock, (struct sockaddr *)&sin, sizeof(sin));
		}

		static void get_mcast_sockaddr(union ipvs_sockaddr sa, int salen,
		@@ -1551,7 +1551,7 @@ static int make_receive_sock(struct netns_ipvs *ipvs, int id,

		get_mcast_sockaddr(&mcast_addr, &salen, &ipvs->bcfg, id);
		sock->sk->sk_bound_dev_if = dev->ifindex;
		result = sock->ops->bind(sock, (struct sockaddr *)&mcast_addr, salen);
		result = kernel_bind(sock, (struct sockaddr *)&mcast_addr, salen);
		if (result < 0) {
		pr_err("Error binding to the multicast addr\n");
		goto error;

net/rds/tcp_connect.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -141,7 +141,7 @@ int rds_tcp_conn_path_connect(struct rds_conn_path *cp)
		addrlen = sizeof(sin);
		}

		ret = sock->ops->bind(sock, addr, addrlen);
		ret = kernel_bind(sock, addr, addrlen);
		if (ret) {
		rdsdebug("bind failed with %d at address %pI6c\n",
		ret, &conn->c_laddr);

net/rds/tcp_listen.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -332,7 +332,7 @@ struct socket rds_tcp_listen_init(struct net net, bool isv6)
		addr_len = sizeof(*sin);
		}

		ret = sock->ops->bind(sock, (struct sockaddr *)&ss, addr_len);
		ret = kernel_bind(sock, (struct sockaddr *)&ss, addr_len);
		if (ret < 0) {
		rdsdebug("could not bind %s listener socket: %d\n",
		isv6 ? "IPv6" : "IPv4", ret);

net/socket.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -3584,7 +3584,11 @@ static long compat_sock_ioctl(struct file *file, unsigned int cmd,

		int kernel_bind(struct socket sock, struct sockaddr addr, int addrlen)
		{
		return sock->ops->bind(sock, addr, addrlen);
		struct sockaddr_storage address;

		memcpy(&address, addr, addrlen);

		return sock->ops->bind(sock, (struct sockaddr *)&address, addrlen);
		}
		EXPORT_SYMBOL(kernel_bind);