lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <04dbe1d5-51e8-42d5-a77d-59db4bc13957@stanley.mountain>
Date: Fri, 24 Jan 2025 17:35:24 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Jakub Kicinski <kuba@...nel.org>
Cc: Thomas Graf <tgraf@...g.ch>, "David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>,
	Simon Horman <horms@...nel.org>, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH net] net: netlink: prevent potential integer overflow in
 nlmsg_new()

On Wed, Jan 22, 2025 at 06:24:27AM -0800, Jakub Kicinski wrote:
> On Wed, 22 Jan 2025 16:49:17 +0300 Dan Carpenter wrote:
> > The "payload" variable is type size_t, however the nlmsg_total_size()
> > function will a few bytes to it and then truncate the result to type
> > int.  That means that if "payload" is more than UINT_MAX the alloc_skb()
> > function might allocate a buffer which is smaller than intended.
> 
> Is there a bug, or is this theoretical?

The rule here is that if we pass something very close to UINT_MAX to
nlmsg_new() the it leads to an integer overflow.  I'm not a networking
expert.  The caller that concerned me was:

*** 1 ***

net/netfilter/ipset/ip_set_core.c
  1762                  /* Error in restore/batch mode: send back lineno */
  1763                  struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
  1764                  struct sk_buff *skb2;
  1765                  struct nlmsgerr *errmsg;
  1766                  size_t payload = min(SIZE_MAX,
  1767                                       sizeof(*errmsg) + nlmsg_len(nlh));

I don't know the limits of limits of nlmsg_len() here.

The min(SIZE_MAX is what scared me.  That was added to silence a Smatch
warning.  :P  It should be fixed or removed.

  1768                  int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
  1769                  struct nlattr *cda[IPSET_ATTR_CMD_MAX + 1];
  1770                  struct nlattr *cmdattr;
  1771                  u32 *errline;
  1772  
  1773                  skb2 = nlmsg_new(payload, GFP_KERNEL);
  1774                  if (!skb2)
  1775                          return -ENOMEM;

*** 2 ***
There is similar code in netlink_ack() where the payload comes from
nlmsg_len(nlh).

*** 3 ***

There is a potential issue in queue_userspace_packet() when we call:

	len = upcall_msg_size(upcall_info, hlen - cutlen, ...
                                           ^^^^^^^^^^^^^
	user_skb = genlmsg_new(len, GFP_ATOMIC);

It's possible that hlen is less than cutlen.  (That's a separate bug,
I'll send a fix for it).

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ