lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 11 Dec 2023 09:39:57 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Kees Cook' <>, Jakub Kicinski <>
CC: kernel test robot <>, "David S . Miller"
	<>, Eric Dumazet <>, Paolo Abeni
	<>, Johannes Berg <>, Jeff Johnson
	<>, Michael Walle <>, Max Schulze
	<>, "" <>,
	"" <>,
	"" <>,
	"" <>
Subject: RE: [PATCH v3] netlink: Return unsigned value for nla_len()

From: Kees Cook
> Sent: 06 December 2023 20:59
> The return value from nla_len() is never expected to be negative, and can
> never be more than struct nlattr::nla_len (a u16). Adjust the prototype
> on the function. This will let GCC's value range optimization passes
> know that the return can never be negative, and can never be larger than
> u16. As recently discussed[1], this silences the following warning in
> GCC 12+:
> -static inline int nla_len(const struct nlattr *nla)
> +static inline u16 nla_len(const struct nlattr *nla)
>  {
>  	return nla->nla_len - NLA_HDRLEN;
>  }

It also adds an explicit mask with 0xffff.
I suspect that returning 'unsigned int' will silence the warning
from gcc (since the error message has a huge max size).

If the value is too small copying ~64k or ~4G will both overflow the
The former might (just) be exploitable, the latter will crash
(so is probably better!)


Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists