lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 29 Apr 2020 11:10:34 -0700
From:   Jakub Kicinski <kuba@...nel.org>
To:     Johannes Berg <johannes@...solutions.net>
Cc:     netdev@...r.kernel.org, Antonio Quartulli <ordex@...istici.org>,
        linux-wireless@...r.kernel.org,
        Johannes Berg <johannes.berg@...el.com>
Subject: Re: [PATCH 4/7] netlink: extend policy range validation

On Wed, 29 Apr 2020 15:48:40 +0200 Johannes Berg wrote:
> diff --git a/lib/nlattr.c b/lib/nlattr.c
> index 7f7ebd89caa4..bb66d06cc6f9 100644
> --- a/lib/nlattr.c
> +++ b/lib/nlattr.c
> @@ -111,17 +111,33 @@ static int nla_validate_array(const struct nlattr *head, int len, int maxtype,
>  	return 0;
>  }
>  
> -static int nla_validate_int_range(const struct nla_policy *pt,
> -				  const struct nlattr *nla,
> -				  struct netlink_ext_ack *extack)
> +static int nla_validate_int_range_unsigned(const struct nla_policy *pt,
> +					   const struct nlattr *nla,
> +					   struct netlink_ext_ack *extack)
>  {
> -	bool validate_min, validate_max;
> -	s64 value;
> +	struct netlink_range_validation _range = {
> +		.min = 0,
> +		.max = U64_MAX,
> +	}, *range = &_range;
> +	u64 value;
>  
> -	validate_min = pt->validation_type == NLA_VALIDATE_RANGE ||
> -		       pt->validation_type == NLA_VALIDATE_MIN;
> -	validate_max = pt->validation_type == NLA_VALIDATE_RANGE ||
> -		       pt->validation_type == NLA_VALIDATE_MAX;
> +	WARN_ON_ONCE(pt->min < 0 || pt->max < 0);

I'm probably missing something, but in case of NLA_VALIDATE_RANGE_PTR
aren't min and max invalid (union has the range pointer set, so this
will read 2 bytes of the pointer).

> +	switch (pt->validation_type) {
> +	case NLA_VALIDATE_RANGE:
> +		range->min = pt->min;
> +		range->max = pt->max;
> +		break;
> +	case NLA_VALIDATE_RANGE_PTR:
> +		range = pt->range;
> +		break;
> +	case NLA_VALIDATE_MIN:
> +		range->min = pt->min;
> +		break;
> +	case NLA_VALIDATE_MAX:
> +		range->max = pt->max;
> +		break;
> +	}

Powered by blists - more mailing lists