[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <04dbe1d5-51e8-42d5-a77d-59db4bc13957@stanley.mountain>
Date: Fri, 24 Jan 2025 17:35:24 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Jakub Kicinski <kuba@...nel.org>
Cc: Thomas Graf <tgraf@...g.ch>, "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>,
Simon Horman <horms@...nel.org>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH net] net: netlink: prevent potential integer overflow in
nlmsg_new()
On Wed, Jan 22, 2025 at 06:24:27AM -0800, Jakub Kicinski wrote:
> On Wed, 22 Jan 2025 16:49:17 +0300 Dan Carpenter wrote:
> > The "payload" variable is type size_t, however the nlmsg_total_size()
> > function will a few bytes to it and then truncate the result to type
> > int. That means that if "payload" is more than UINT_MAX the alloc_skb()
> > function might allocate a buffer which is smaller than intended.
>
> Is there a bug, or is this theoretical?
The rule here is that if we pass something very close to UINT_MAX to
nlmsg_new() the it leads to an integer overflow. I'm not a networking
expert. The caller that concerned me was:
*** 1 ***
net/netfilter/ipset/ip_set_core.c
1762 /* Error in restore/batch mode: send back lineno */
1763 struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
1764 struct sk_buff *skb2;
1765 struct nlmsgerr *errmsg;
1766 size_t payload = min(SIZE_MAX,
1767 sizeof(*errmsg) + nlmsg_len(nlh));
I don't know the limits of limits of nlmsg_len() here.
The min(SIZE_MAX is what scared me. That was added to silence a Smatch
warning. :P It should be fixed or removed.
1768 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
1769 struct nlattr *cda[IPSET_ATTR_CMD_MAX + 1];
1770 struct nlattr *cmdattr;
1771 u32 *errline;
1772
1773 skb2 = nlmsg_new(payload, GFP_KERNEL);
1774 if (!skb2)
1775 return -ENOMEM;
*** 2 ***
There is similar code in netlink_ack() where the payload comes from
nlmsg_len(nlh).
*** 3 ***
There is a potential issue in queue_userspace_packet() when we call:
len = upcall_msg_size(upcall_info, hlen - cutlen, ...
^^^^^^^^^^^^^
user_skb = genlmsg_new(len, GFP_ATOMIC);
It's possible that hlen is less than cutlen. (That's a separate bug,
I'll send a fix for it).
regards,
dan carpenter
Powered by blists - more mailing lists