• Kees Cook's avatar
    sock: Use unsafe_memcpy() for sock_copy() · ff73f834
    Kees Cook authored
    While testing for places where zero-sized destinations were still showing
    up in the kernel, sock_copy() and inet_reqsk_clone() were found, which
    are using very specific memcpy() offsets for both avoiding a portion of
    struct sock, and copying beyond the end of it (since struct sock is really
    just a common header before the protocol-specific allocation). Instead
    of trying to unravel this historical lack of container_of(), just switch
    to unsafe_memcpy(), since that's effectively what was happening already
    (memcpy() wasn't checking 0-sized destinations while the code base was
    being converted away from fake flexible arrays).
    
    Avoid the following false positive warning with future changes to
    CONFIG_FORTIFY_SOURCE:
    
      memcpy: detected field-spanning write (size 3068) of destination "&nsk->__sk_common.skc_dontcopy_end" at net/core/sock.c:2057 (size 0)
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Reviewed-by: default avatarSimon Horman <horms@kernel.org>
    Link: https://lore.kernel.org/r/20240304212928.make.772-kees@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
    ff73f834
sock.c 106 KB