* [PATCH] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb
@ 2017-06-07 13:14 Mateusz Jurczyk
2017-06-07 14:14 ` [PATCH v2] " Mateusz Jurczyk
0 siblings, 1 reply; 5+ messages in thread
From: Mateusz Jurczyk @ 2017-06-07 13:14 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal
Cc: David S. Miller, netfilter-devel, coreteam, linux-decnet-user,
netdev, linux-kernel
Verify that the length of the socket buffer is sufficient to cover the
entire nlh->nlmsg_len field before accessing that field for further
input sanitization. If the client only supplies 1-3 bytes of data in
sk_buff, then nlh->nlmsg_len remains partially uninitialized and
contains leftover memory from the corresponding kernel allocation.
Operating on such data may result in indeterminate evaluation of the
nlmsg_len < sizeof(*nlh) expression.
The bug was discovered by a runtime instrumentation designed to detect
use of uninitialized memory in the kernel. The patch prevents this and
other similar tools (e.g. KMSAN) from flagging this behavior in the future.
Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
---
net/decnet/netfilter/dn_rtmsg.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
index 1ed81ac6dd1a..26e020e9d415 100644
--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -102,7 +102,9 @@ static inline void dnrmg_receive_user_skb(struct sk_buff *skb)
{
struct nlmsghdr *nlh = nlmsg_hdr(skb);
- if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
+ if (skb->len < sizeof(nlh->nlmsg_len) ||
+ nlh->nlmsg_len < sizeof(*nlh) ||
+ skb->len < nlh->nlmsg_len)
return;
if (!netlink_capable(skb, CAP_NET_ADMIN))
--
2.13.1.508.gb3defc5cc-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v2] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb
2017-06-07 13:14 [PATCH] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb Mateusz Jurczyk
@ 2017-06-07 14:14 ` Mateusz Jurczyk
2017-06-07 14:18 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: Mateusz Jurczyk @ 2017-06-07 14:14 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal
Cc: David S. Miller, netfilter-devel, coreteam, linux-decnet-user,
netdev, linux-kernel
Verify that the length of the socket buffer is sufficient to cover the
nlmsghdr structure before accessing the nlh->nlmsg_len field for further
input sanitization. If the client only supplies 1-3 bytes of data in
sk_buff, then nlh->nlmsg_len remains partially uninitialized and
contains leftover memory from the corresponding kernel allocation.
Operating on such data may result in indeterminate evaluation of the
nlmsg_len < sizeof(*nlh) expression.
The bug was discovered by a runtime instrumentation designed to detect
use of uninitialized memory in the kernel. The patch prevents this and
other similar tools (e.g. KMSAN) from flagging this behavior in the future.
Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
---
Changes in v2:
- Compare skb->len against sizeof(*nlh) instead of sizeof(nlh->nlmsg_len)
to avoid assuming the layout of the nlmsghdr structure. This was
motivated by Eric Dumazet's comment on a related patch submission.
net/decnet/netfilter/dn_rtmsg.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
index 1ed81ac6dd1a..aa8ffecc46a4 100644
--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -102,7 +102,9 @@ static inline void dnrmg_receive_user_skb(struct sk_buff *skb)
{
struct nlmsghdr *nlh = nlmsg_hdr(skb);
- if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
+ if (skb->len < sizeof(*nlh) ||
+ nlh->nlmsg_len < sizeof(*nlh) ||
+ skb->len < nlh->nlmsg_len)
return;
if (!netlink_capable(skb, CAP_NET_ADMIN))
--
2.13.1.508.gb3defc5cc-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb
2017-06-07 14:14 ` [PATCH v2] " Mateusz Jurczyk
@ 2017-06-07 14:18 ` Florian Westphal
2017-06-07 14:41 ` Mateusz Jurczyk
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2017-06-07 14:18 UTC (permalink / raw)
To: Mateusz Jurczyk
Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
David S. Miller, netfilter-devel, coreteam, linux-decnet-user,
netdev, linux-kernel
Mateusz Jurczyk <mjurczyk@google.com> wrote:
> Verify that the length of the socket buffer is sufficient to cover the
> nlmsghdr structure before accessing the nlh->nlmsg_len field for further
> input sanitization. If the client only supplies 1-3 bytes of data in
> sk_buff, then nlh->nlmsg_len remains partially uninitialized and
> contains leftover memory from the corresponding kernel allocation.
> Operating on such data may result in indeterminate evaluation of the
> nlmsg_len < sizeof(*nlh) expression.
>
> The bug was discovered by a runtime instrumentation designed to detect
> use of uninitialized memory in the kernel. The patch prevents this and
> other similar tools (e.g. KMSAN) from flagging this behavior in the future.
Instead of changing all the internal users wouldn't it be better
to add this check once in netlink_unicast_kernel?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb
2017-06-07 14:18 ` Florian Westphal
@ 2017-06-07 14:41 ` Mateusz Jurczyk
2017-06-08 14:39 ` David Miller
0 siblings, 1 reply; 5+ messages in thread
From: Mateusz Jurczyk @ 2017-06-07 14:41 UTC (permalink / raw)
To: Florian Westphal
Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, David S. Miller,
netfilter-devel, coreteam, linux-decnet-user, netdev,
linux-kernel
On Wed, Jun 7, 2017 at 4:18 PM, Florian Westphal <fw@strlen.de> wrote:
> Mateusz Jurczyk <mjurczyk@google.com> wrote:
>> Verify that the length of the socket buffer is sufficient to cover the
>> nlmsghdr structure before accessing the nlh->nlmsg_len field for further
>> input sanitization. If the client only supplies 1-3 bytes of data in
>> sk_buff, then nlh->nlmsg_len remains partially uninitialized and
>> contains leftover memory from the corresponding kernel allocation.
>> Operating on such data may result in indeterminate evaluation of the
>> nlmsg_len < sizeof(*nlh) expression.
>>
>> The bug was discovered by a runtime instrumentation designed to detect
>> use of uninitialized memory in the kernel. The patch prevents this and
>> other similar tools (e.g. KMSAN) from flagging this behavior in the future.
>
> Instead of changing all the internal users wouldn't it be better
> to add this check once in netlink_unicast_kernel?
>
Perhaps. I must admit I'm not very familiar with this code
area/interface, so I preferred to fix the few specific cases instead
of submitting a general patch, which might have some unexpected side
effects, e.g. behavior different from one of the internal clients etc.
If you think one check in netlink_unicast_kernel is a better way to do
it, I'm happy to implement it like that.
Thanks,
Mateusz
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb
2017-06-07 14:41 ` Mateusz Jurczyk
@ 2017-06-08 14:39 ` David Miller
0 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2017-06-08 14:39 UTC (permalink / raw)
To: mjurczyk
Cc: fw, pablo, kadlec, netfilter-devel, coreteam, linux-decnet-user,
netdev, linux-kernel
From: Mateusz Jurczyk <mjurczyk@google.com>
Date: Wed, 7 Jun 2017 16:41:57 +0200
> On Wed, Jun 7, 2017 at 4:18 PM, Florian Westphal <fw@strlen.de> wrote:
>> Mateusz Jurczyk <mjurczyk@google.com> wrote:
>>> Verify that the length of the socket buffer is sufficient to cover the
>>> nlmsghdr structure before accessing the nlh->nlmsg_len field for further
>>> input sanitization. If the client only supplies 1-3 bytes of data in
>>> sk_buff, then nlh->nlmsg_len remains partially uninitialized and
>>> contains leftover memory from the corresponding kernel allocation.
>>> Operating on such data may result in indeterminate evaluation of the
>>> nlmsg_len < sizeof(*nlh) expression.
>>>
>>> The bug was discovered by a runtime instrumentation designed to detect
>>> use of uninitialized memory in the kernel. The patch prevents this and
>>> other similar tools (e.g. KMSAN) from flagging this behavior in the future.
>>
>> Instead of changing all the internal users wouldn't it be better
>> to add this check once in netlink_unicast_kernel?
>>
>
> Perhaps. I must admit I'm not very familiar with this code
> area/interface, so I preferred to fix the few specific cases instead
> of submitting a general patch, which might have some unexpected side
> effects, e.g. behavior different from one of the internal clients etc.
>
> If you think one check in netlink_unicast_kernel is a better way to do
> it, I'm happy to implement it like that.
Until we decide to add the check to netlink_unicast_kernel(), I'm applying
this and queueing it up for -stable.
Thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-06-08 14:39 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-06-07 13:14 [PATCH] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb Mateusz Jurczyk
2017-06-07 14:14 ` [PATCH v2] " Mateusz Jurczyk
2017-06-07 14:18 ` Florian Westphal
2017-06-07 14:41 ` Mateusz Jurczyk
2017-06-08 14:39 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).