net: prevent address rewrite in kernel_bind()

jrife · davem330 · commit c889a99a21bf · 2023-10-01T19:31:29.000+01:00
Similar to the change in commit 0bdf399("net: Avoid address overwrite in kernel_connect"), BPF hooks run on bind may rewrite the address passed to kernel_bind(). This change 1) Makes a copy of the bind address in kernel_bind() to insulate callers. 2) Replaces direct calls to sock->ops->bind() in net with kernel_bind() Link: https://lore.kernel.org/netdev/20230912013332.2048422-1-jrife@google.com/ Fixes: 4fbac77 ("bpf: Hooks for sys_bind") Cc: stable@vger.kernel.org Reviewed-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Jordan Rife <jrife@google.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
@@ -1439,7 +1439,7 @@ static int bind_mcastif_addr(struct socket *sock, struct net_device *dev)
 	sin.sin_addr.s_addr  = addr;
 	sin.sin_port         = 0;
 
-	return sock->ops->bind(sock, (struct sockaddr*)&sin, sizeof(sin));
+	return kernel_bind(sock, (struct sockaddr *)&sin, sizeof(sin));
 }
 
 static void get_mcast_sockaddr(union ipvs_sockaddr *sa, int *salen,
@@ -1546,7 +1546,7 @@ static int make_receive_sock(struct netns_ipvs *ipvs, int id,
 
 	get_mcast_sockaddr(&mcast_addr, &salen, &ipvs->bcfg, id);
 	sock->sk->sk_bound_dev_if = dev->ifindex;
-	result = sock->ops->bind(sock, (struct sockaddr *)&mcast_addr, salen);
+	result = kernel_bind(sock, (struct sockaddr *)&mcast_addr, salen);
 	if (result < 0) {
 		pr_err("Error binding to the multicast addr\n");
 		goto error;
diff --git a/net/rds/tcp_connect.c b/net/rds/tcp_connect.c
@@ -145,7 +145,7 @@ int rds_tcp_conn_path_connect(struct rds_conn_path *cp)
 		addrlen = sizeof(sin);
 	}
 
-	ret = sock->ops->bind(sock, addr, addrlen);
+	ret = kernel_bind(sock, addr, addrlen);
 	if (ret) {
 		rdsdebug("bind failed with %d at address %pI6c\n",
 			 ret, &conn->c_laddr);
diff --git a/net/rds/tcp_listen.c b/net/rds/tcp_listen.c
@@ -306,7 +306,7 @@ struct socket *rds_tcp_listen_init(struct net *net, bool isv6)
 		addr_len = sizeof(*sin);
 	}
 
-	ret = sock->ops->bind(sock, (struct sockaddr *)&ss, addr_len);
+	ret = kernel_bind(sock, (struct sockaddr *)&ss, addr_len);
 	if (ret < 0) {
 		rdsdebug("could not bind %s listener socket: %d\n",
 			 isv6 ? "IPv6" : "IPv4", ret);
diff --git a/net/socket.c b/net/socket.c
@@ -3516,7 +3516,12 @@ static long compat_sock_ioctl(struct file *file, unsigned int cmd,
 
 int kernel_bind(struct socket *sock, struct sockaddr *addr, int addrlen)
 {
-	return READ_ONCE(sock->ops)->bind(sock, addr, addrlen);
+	struct sockaddr_storage address;
+
+	memcpy(&address, addr, addrlen);
+
+	return READ_ONCE(sock->ops)->bind(sock, (struct sockaddr *)&address,
+					  addrlen);
 }
 EXPORT_SYMBOL(kernel_bind);
 

Original file line number	Diff line number	Diff line change
`@@ -145,7 +145,7 @@ int rds_tcp_conn_path_connect(struct rds_conn_path *cp)`
`145`	`145`	`addrlen = sizeof(sin);`
`146`	`146`	`}`
`147`	`147`
`148`		`- ret = sock->ops->bind(sock, addr, addrlen);`
	`148`	`+ ret = kernel_bind(sock, addr, addrlen);`
`149`	`149`	`if (ret) {`
`150`	`150`	`rdsdebug("bind failed with %d at address %pI6c\n",`
`151`	`151`	`ret, &conn->c_laddr);`
Original file line number	Diff line number	Diff line change
`@@ -306,7 +306,7 @@ struct socket rds_tcp_listen_init(struct net net, bool isv6)`
`306`	`306`	`addr_len = sizeof(*sin);`
`307`	`307`	`}`
`308`	`308`
`309`		`- ret = sock->ops->bind(sock, (struct sockaddr *)&ss, addr_len);`
	`309`	`+ ret = kernel_bind(sock, (struct sockaddr *)&ss, addr_len);`
`310`	`310`	`if (ret < 0) {`
`311`	`311`	`rdsdebug("could not bind %s listener socket: %d\n",`
`312`	`312`	`isv6 ? "IPv6" : "IPv4", ret);`
Original file line number	Diff line number	Diff line change
`@@ -3516,7 +3516,12 @@ static long compat_sock_ioctl(struct file *file, unsigned int cmd,`
`3516`	`3516`
`3517`	`3517`	`int kernel_bind(struct socket sock, struct sockaddr addr, int addrlen)`
`3518`	`3518`	`{`
`3519`		`- return READ_ONCE(sock->ops)->bind(sock, addr, addrlen);`
	`3519`	`+ struct sockaddr_storage address;`
	`3520`	`+`
	`3521`	`+ memcpy(&address, addr, addrlen);`
	`3522`	`+`
	`3523`	`+ return READ_ONCE(sock->ops)->bind(sock, (struct sockaddr *)&address,`
	`3524`	`+ addrlen);`
`3520`	`3525`	`}`
`3521`	`3526`	`EXPORT_SYMBOL(kernel_bind);`
`3522`	`3527`