lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Z/13ZnIO0EfF29/N@pop-os.localdomain>
Date: Mon, 14 Apr 2025 14:00:22 -0700
From: Cong Wang <xiyou.wangcong@...il.com>
To: Toke Høiland-Jørgensen <toke@...hat.com>
Cc: Jamal Hadi Salim <jhs@...atatu.com>, Jiri Pirko <jiri@...nulli.us>,
	Ilya Maximets <i.maximets@...hat.com>,
	Frode Nordahl <frode.nordahl@...onical.com>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	Simon Horman <horms@...nel.org>, netdev@...r.kernel.org
Subject: Re: [PATCH net] tc: Ensure we have enough buffer space when sending
 filter netlink notifications

On Thu, Apr 10, 2025 at 12:28:43PM +0200, Toke Høiland-Jørgensen wrote:
> Cong Wang <xiyou.wangcong@...il.com> writes:
> 
> > On Mon, Apr 07, 2025 at 12:55:34PM +0200, Toke Høiland-Jørgensen wrote:
> >> +static struct sk_buff *tfilter_notify_prep(struct net *net,
> >> +					   struct sk_buff *oskb,
> >> +					   struct nlmsghdr *n,
> >> +					   struct tcf_proto *tp,
> >> +					   struct tcf_block *block,
> >> +					   struct Qdisc *q, u32 parent,
> >> +					   void *fh, int event,
> >> +					   u32 portid, bool rtnl_held,
> >> +					   struct netlink_ext_ack *extack)
> >> +{
> >> +	unsigned int size = oskb ? max(NLMSG_GOODSIZE, oskb->len) : NLMSG_GOODSIZE;
> >> +	struct sk_buff *skb;
> >> +	int ret;
> >> +
> >> +retry:
> >> +	skb = alloc_skb(size, GFP_KERNEL);
> >> +	if (!skb)
> >> +		return ERR_PTR(-ENOBUFS);
> >> +
> >> +	ret = tcf_fill_node(net, skb, tp, block, q, parent, fh, portid,
> >> +			    n->nlmsg_seq, n->nlmsg_flags, event, false,
> >> +			    rtnl_held, extack);
> >> +	if (ret <= 0) {
> >> +		kfree_skb(skb);
> >> +		if (ret == -EMSGSIZE) {
> >> +			size += NLMSG_GOODSIZE;
> >> +			goto retry;
> >
> > It is a bit concerning to see this technically unbound loop.
> 
> Well, I did think about that. The loop will terminate eventually by
> either succeeding, or failing the allocation. Most likely the former,
> since this is only called after a filter has been successfully
> installed. I.e., it's not like the amount of data being put into the skb
> is unbounded.

Yeah, I totally agree, it is probably just a theoretical problem.

> 
> >> +		}
> >> +		return ERR_PTR(-EINVAL);
> >
> > I think you probably want to propagate the error code from
> > tcf_fill_node() here.
> 
> I just kept the existing return value (of tfilter_notify()) for the same
> error case. tcf_fill_node() always returns -1 on error, so I think it
> makes more sense to keep this?
> 
> Paolo already merged the patch, and I don't think it's worth it to
> follow up with any fixes, cf the above. WDYT?

Not a big deal, we can keep as it is.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ