lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250521090159.GR365796@horms.kernel.org>
Date: Wed, 21 May 2025 10:01:59 +0100
From: Simon Horman <horms@...nel.org>
To: Jeremy Kerr <jk@...econstruct.com.au>
Cc: Matt Johnston <matt@...econstruct.com.au>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	netdev@...r.kernel.org
Subject: Re: [PATCH net-next] net: mctp: use nlmsg_payload() for netlink
 message data extraction

On Wed, May 21, 2025 at 10:05:36AM +0800, Jeremy Kerr wrote:
> Hi Horms,
> 
> Thanks for the review!
> 
> > > --- a/net/mctp/neigh.c
> > > +++ b/net/mctp/neigh.c
> > > @@ -250,7 +250,10 @@ static int mctp_rtm_getneigh(struct sk_buff *skb, struct netlink_callback *cb)
> > >                 int idx;
> > >         } *cbctx = (void *)cb->ctx;
> > >  
> > > -       ndmsg = nlmsg_data(cb->nlh);
> > > +       ndmsg = nlmsg_payload(cb->nlh, sizeof(*ndmsg));
> > > +       if (!ndmsg)
> > > +               return -EINVAL;
> > > +
> > 
> > But is this one a bug fix?
> 
> At the moment, we cannot hit the case where the nlh does not contain a
> full ndmsg, as the core handler (net/core/neighbour.c, neigh_get()) has
> already validated the size (through neigh_valid_req_get()), and would
> have failed the get before the MCTP hander is called.
> 
> However, relying on that is a bit fragile, hence applying the
> nlmsg_payload replacement here.
> 
> I'm happy to split it out if that makes more sense though; in which case
> this change would be initially implemented as check on ->nlmsg_len (in
> order to be backportable to stable), and then a subsequent rework to use
> nlmsg_payload. Let me know what would work best.

Hi Jeremy,

Thanks for the explanation. I think it might be best to add some commentary
to the commit message, as this was not obvious to me. But I don't feel
strongly about this.

So either way, this patch now looks good to me.

Reviewed-by: Simon Horman <horms@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ