| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 11 Nov 2017 23:21:01 +0900 (KST)
From: David Miller <davem@...emloft.net>
To: johannes@...solutions.net
Cc: Jason@...c4.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4] af_netlink: ensure that NLMSG_DONE never fails in
dumps
From: Johannes Berg <johannes@...solutions.net>
Date: Sat, 11 Nov 2017 15:15:21 +0100
> On Sat, 2017-11-11 at 23:09 +0900, David Miller wrote:
>> From: "Jason A. Donenfeld" <Jason@...c4.com>
>> Date: Thu, 9 Nov 2017 13:04:44 +0900
>>
>> > @@ -2195,13 +2197,15 @@ static int netlink_dump(struct sock *sk)
>> > return 0;
>> > }
>> >
>> > - nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE, sizeof(len), NLM_F_MULTI);
>> > - if (!nlh)
>> > + nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE,
>> > + sizeof(nlk->dump_done_errno), NLM_F_MULTI);
>> > + if (WARN_ON(!nlh))
>> > goto errout_skb;
>>
>> If you're handling this by forcing another read() to procude the
>> NLMSG_DONE, then you have no reason to WARN_ON() here.
>>
>> In fact you are adding a WARN_ON() which is trivially triggerable by
>> any user.
>
> I added this in my suggestion for how this could work, but I don't
> think you're right, since we previously check if there's enough space.
> The patch is missing the full context, but this is:
...
> So unless the nlmsg_total_size() vs. nlmsg_put_answer() suddenly gets a
> different idea of how much space is needed, nlh shouldn't ever be NULL
> once we get here.
Aha, that's what I missed. Indeed, it cannot happen.
My bad.
Powered by blists - more mailing lists