[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <cedbaec9-d149-48af-8068-182f0af5a89c@stanley.mountain>
Date: Wed, 18 Dec 2024 13:54:38 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Herbert Xu <herbert@...dor.apana.org.au>,
Justin Stitt <justinstitt@...gle.com>, Kees Cook <kees@...nel.org>
Cc: Steffen Klassert <steffen.klassert@...unet.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Simon Horman <horms@...nel.org>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH net] xfrm: Rewrite key length conversion to avoid
overflows
On Wed, Dec 18, 2024 at 05:42:35PM +0800, Herbert Xu wrote:
> On Tue, Dec 17, 2024 at 03:32:31PM +0300, Dan Carpenter wrote:
> >
> > That seems like basic algebra but we have a long history of getting
> > integer overflow checks wrong so these days I like to just use
> > INT_MAX where ever I can. I wanted to use USHRT_MAX. We aren't allowed
> > to use more than USHRT_MAX bytes, but maybe we're allowed USHRT_MAX
> > bits, so I didn't do that.
>
> There is no reason for this to overflow if we rewrite it do do
> the division carefully. Something like this:
>
I like it! So obvious in retrospect. Kees, Justin, this is probably a
good strategy for dealing with round_up() related integer overflows
generally.
overflows to zero: (len + 7) / 8
no overflow: len / 8 + !!(len & 7)
> Steffen, this raises a new question: Can normal users create socket
> policies of arbtirarily long key lengths? If so we probably should
> look into limiting the key length to a sane value. Of course, given
> namespaces we probably should do that in any case.
The length is capped in verify_one_alg() type functions:
if (nla_len(rt) < (int)xfrm_alg_len(algp)) {
nla_len() is a USHRT_MAX so the rounded value can't be higher than that.
The (int) cast is unnecessary and confusing. The condition should
probably flipped around so the untrusted part is on the left.
if (xfrm_alg_len(algp) > nla_len(rt))
return -EINVAL;
regards,
dan carpenter
Powered by blists - more mailing lists