lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 3 May 2022 22:31:05 -0500 From: "Gustavo A. R. Silva" <gustavoars@...nel.org> To: Kees Cook <keescook@...omium.org> Cc: Rasmus Villemoes <linux@...musvillemoes.dk>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Rich Felker <dalias@...ifal.cx>, Eric Dumazet <edumazet@...gle.com>, netdev@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>, alsa-devel@...a-project.org, Al Viro <viro@...iv.linux.org.uk>, Andrew Gabbasov <andrew_gabbasov@...tor.com>, Andrew Morton <akpm@...ux-foundation.org>, Andy Gross <agross@...nel.org>, Andy Lavr <andy.lavr@...il.com>, Arend van Spriel <aspriel@...il.com>, Baowen Zheng <baowen.zheng@...igine.com>, Bjorn Andersson <bjorn.andersson@...aro.org>, Boris Ostrovsky <boris.ostrovsky@...cle.com>, Bradley Grove <linuxdrivers@...otech.com>, brcm80211-dev-list.pdl@...adcom.com, Christian Brauner <brauner@...nel.org>, Christian Göttsche <cgzones@...glemail.com>, Christian Lamparter <chunkeey@...glemail.com>, Chris Zankel <chris@...kel.net>, Cong Wang <cong.wang@...edance.com>, Daniel Axtens <dja@...ens.net>, Daniel Vetter <daniel.vetter@...ll.ch>, Dan Williams <dan.j.williams@...el.com>, David Gow <davidgow@...gle.com>, David Howells <dhowells@...hat.com>, Dennis Dalessandro <dennis.dalessandro@...nelisnetworks.com>, devicetree@...r.kernel.org, Dexuan Cui <decui@...rosoft.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Eli Cohen <elic@...dia.com>, Eric Paris <eparis@...isplace.org>, Eugeniu Rosca <erosca@...adit-jv.com>, Felipe Balbi <balbi@...nel.org>, Francis Laniel <laniel_francis@...vacyrequired.com>, Frank Rowand <frowand.list@...il.com>, Franky Lin <franky.lin@...adcom.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Gregory Greenman <gregory.greenman@...el.com>, Guenter Roeck <linux@...ck-us.net>, Haiyang Zhang <haiyangz@...rosoft.com>, Hante Meuleman <hante.meuleman@...adcom.com>, Herbert Xu <herbert@...dor.apana.org.au>, Hulk Robot <hulkci@...wei.com>, "James E.J. Bottomley" <jejb@...ux.ibm.com>, James Morris <jmorris@...ei.org>, Jarkko Sakkinen <jarkko@...nel.org>, Jaroslav Kysela <perex@...ex.cz>, Jason Gunthorpe <jgg@...pe.ca>, Jens Axboe <axboe@...nel.dk>, Johan Hedberg <johan.hedberg@...il.com>, Johannes Berg <johannes.berg@...el.com>, Johannes Berg <johannes@...solutions.net>, John Keeping <john@...anate.com>, Juergen Gross <jgross@...e.com>, Kalle Valo <kvalo@...nel.org>, Keith Packard <keithp@...thp.com>, keyrings@...r.kernel.org, kunit-dev@...glegroups.com, Kuniyuki Iwashima <kuniyu@...zon.co.jp>, "K. Y. Srinivasan" <kys@...rosoft.com>, Lars-Peter Clausen <lars@...afoo.de>, Lee Jones <lee.jones@...aro.org>, Leon Romanovsky <leon@...nel.org>, Liam Girdwood <lgirdwood@...il.com>, linux1394-devel@...ts.sourceforge.net, linux-afs@...ts.infradead.org, linux-arm-kernel@...ts.infradead.org, linux-arm-msm@...r.kernel.org, linux-bluetooth@...r.kernel.org, linux-hardening@...r.kernel.org, linux-hyperv@...r.kernel.org, linux-integrity@...r.kernel.org, linux-rdma@...r.kernel.org, linux-scsi@...r.kernel.org, linux-security-module@...r.kernel.org, linux-usb@...r.kernel.org, linux-wireless@...r.kernel.org, linux-xtensa@...ux-xtensa.org, llvm@...ts.linux.dev, Loic Poulain <loic.poulain@...aro.org>, Louis Peens <louis.peens@...igine.com>, Luca Coelho <luciano.coelho@...el.com>, Luiz Augusto von Dentz <luiz.dentz@...il.com>, Marc Dionne <marc.dionne@...istor.com>, Marcel Holtmann <marcel@...tmann.org>, Mark Brown <broonie@...nel.org>, "Martin K. Petersen" <martin.petersen@...cle.com>, Max Filippov <jcmvbkbc@...il.com>, Mimi Zohar <zohar@...ux.ibm.com>, Muchun Song <songmuchun@...edance.com>, Nathan Chancellor <nathan@...nel.org>, Nick Desaulniers <ndesaulniers@...gle.com>, Nuno Sá <nuno.sa@...log.com>, Paolo Abeni <pabeni@...hat.com>, Paul Moore <paul@...l-moore.com>, Rob Herring <robh+dt@...nel.org>, Russell King <linux@...linux.org.uk>, selinux@...r.kernel.org, "Serge E. Hallyn" <serge@...lyn.com>, SHA-cyfmac-dev-list@...ineon.com, Simon Horman <simon.horman@...igine.com>, Stefano Stabellini <sstabellini@...nel.org>, Stefan Richter <stefanr@...6.in-berlin.de>, Steffen Klassert <steffen.klassert@...unet.com>, Stephen Hemminger <sthemmin@...rosoft.com>, Stephen Smalley <stephen.smalley.work@...il.com>, Tadeusz Struk <tadeusz.struk@...aro.org>, Takashi Iwai <tiwai@...e.com>, Tom Rix <trix@...hat.com>, Udipto Goswami <quic_ugoswami@...cinc.com>, Vincenzo Frascino <vincenzo.frascino@....com>, wcn36xx@...ts.infradead.org, Wei Liu <wei.liu@...nel.org>, xen-devel@...ts.xenproject.org, Xiu Jianfeng <xiujianfeng@...wei.com>, Yang Yingliang <yangyingliang@...wei.com> Subject: Re: [PATCH 01/32] netlink: Avoid memcpy() across flexible array boundary On Tue, May 03, 2022 at 06:44:10PM -0700, Kees Cook wrote: > In preparation for run-time memcpy() bounds checking, split the nlmsg > copying for error messages (which crosses a previous unspecified flexible > array boundary) in half. Avoids the future run-time warning: > > memcpy: detected field-spanning write (size 32) of single field "&errmsg->msg" (size 16) > > Creates an explicit flexible array at the end of nlmsghdr for the payload, > named "nlmsg_payload". There is no impact on UAPI; the sizeof(struct > nlmsghdr) does not change, but now the compiler can better reason about > where things are being copied. > > Fixed-by: Rasmus Villemoes <linux@...musvillemoes.dk> > Link: https://lore.kernel.org/lkml/d7251d92-150b-5346-6237-52afc154bb00@rasmusvillemoes.dk > Cc: "David S. Miller" <davem@...emloft.net> > Cc: Jakub Kicinski <kuba@...nel.org> > Cc: Rich Felker <dalias@...ifal.cx> > Cc: Eric Dumazet <edumazet@...gle.com> > Cc: netdev@...r.kernel.org > Signed-off-by: Kees Cook <keescook@...omium.org> > --- > include/uapi/linux/netlink.h | 1 + > net/netlink/af_netlink.c | 5 ++++- > 2 files changed, 5 insertions(+), 1 deletion(-) > > diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h > index 855dffb4c1c3..47f9342d51bc 100644 > --- a/include/uapi/linux/netlink.h > +++ b/include/uapi/linux/netlink.h > @@ -47,6 +47,7 @@ struct nlmsghdr { > __u16 nlmsg_flags; /* Additional flags */ > __u32 nlmsg_seq; /* Sequence number */ > __u32 nlmsg_pid; /* Sending process port ID */ > + __u8 nlmsg_payload[];/* Contents of message */ > }; > > /* Flags values */ > diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c > index 1b5a9c2e1c29..09346aee1022 100644 > --- a/net/netlink/af_netlink.c > +++ b/net/netlink/af_netlink.c > @@ -2445,7 +2445,10 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err, > NLMSG_ERROR, payload, flags); > errmsg = nlmsg_data(rep); > errmsg->error = err; > - memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) ? nlh->nlmsg_len : sizeof(*nlh)); > + errmsg->msg = *nlh; > + if (payload > sizeof(*errmsg)) > + memcpy(errmsg->msg.nlmsg_payload, nlh->nlmsg_payload, > + nlh->nlmsg_len - sizeof(*nlh)); They have nlmsg_len()[1] for the length of the payload without the header: /** * nlmsg_len - length of message payload * @nlh: netlink message header */ static inline int nlmsg_len(const struct nlmsghdr *nlh) { return nlh->nlmsg_len - NLMSG_HDRLEN; } (would that function use some sanitization, though? what if nlmsg_len is somehow manipulated to be less than NLMSG_HDRLEN?...) Also, it seems there is at least one more instance of this same issue: diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index 16ae92054baa..d06184b94af5 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c @@ -1723,7 +1723,8 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb, nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); errmsg = nlmsg_data(rep); errmsg->error = ret; - memcpy(&errmsg->msg, nlh, nlh->nlmsg_len); + errmsg->msg = *nlh; + memcpy(errmsg->msg.nlmsg_payload, nlh->nlmsg_payload, nlmsg_len(nlh)); cmdattr = (void *)&errmsg->msg + min_len; ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, cmdattr, -- Gustavo [1] https://elixir.bootlin.com/linux/v5.18-rc5/source/include/net/netlink.h#L577
Powered by blists - more mailing lists