[PATCH] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb
@ 2017-06-07 13:14 Mateusz Jurczyk
  2017-06-07 14:14 ` [PATCH v2] " Mateusz Jurczyk
  0 siblings, 1 reply; 5+ messages in thread
From: Mateusz Jurczyk @ 2017-06-07 13:14 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal
  Cc: David S. Miller, netfilter-devel, coreteam, linux-decnet-user,
	netdev, linux-kernel

Verify that the length of the socket buffer is sufficient to cover the
entire nlh->nlmsg_len field before accessing that field for further
input sanitization. If the client only supplies 1-3 bytes of data in
sk_buff, then nlh->nlmsg_len remains partially uninitialized and
contains leftover memory from the corresponding kernel allocation.
Operating on such data may result in indeterminate evaluation of the
nlmsg_len < sizeof(*nlh) expression.

The bug was discovered by a runtime instrumentation designed to detect
use of uninitialized memory in the kernel. The patch prevents this and
other similar tools (e.g. KMSAN) from flagging this behavior in the future.

Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
---
 net/decnet/netfilter/dn_rtmsg.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
index 1ed81ac6dd1a..26e020e9d415 100644
--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -102,7 +102,9 @@ static inline void dnrmg_receive_user_skb(struct sk_buff *skb)
 {
 	struct nlmsghdr *nlh = nlmsg_hdr(skb);

-	if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
+	if (skb->len < sizeof(nlh->nlmsg_len) ||
+	    nlh->nlmsg_len < sizeof(*nlh) ||
+	    skb->len < nlh->nlmsg_len)
 		return;

 	if (!netlink_capable(skb, CAP_NET_ADMIN))
-- 
2.13.1.508.gb3defc5cc-goog

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH v2] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb
  2017-06-07 13:14 [PATCH] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb Mateusz Jurczyk
@ 2017-06-07 14:14 ` Mateusz Jurczyk
  2017-06-07 14:18   ` Florian Westphal
  0 siblings, 1 reply; 5+ messages in thread
From: Mateusz Jurczyk @ 2017-06-07 14:14 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal
  Cc: David S. Miller, netfilter-devel, coreteam, linux-decnet-user,
	netdev, linux-kernel

Verify that the length of the socket buffer is sufficient to cover the
nlmsghdr structure before accessing the nlh->nlmsg_len field for further
input sanitization. If the client only supplies 1-3 bytes of data in
sk_buff, then nlh->nlmsg_len remains partially uninitialized and
contains leftover memory from the corresponding kernel allocation.
Operating on such data may result in indeterminate evaluation of the
nlmsg_len < sizeof(*nlh) expression.

The bug was discovered by a runtime instrumentation designed to detect
use of uninitialized memory in the kernel. The patch prevents this and
other similar tools (e.g. KMSAN) from flagging this behavior in the future.

Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
---
Changes in v2:
  - Compare skb->len against sizeof(*nlh) instead of sizeof(nlh->nlmsg_len)
    to avoid assuming the layout of the nlmsghdr structure. This was
    motivated by Eric Dumazet's comment on a related patch submission.

 net/decnet/netfilter/dn_rtmsg.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
index 1ed81ac6dd1a..aa8ffecc46a4 100644
--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -102,7 +102,9 @@ static inline void dnrmg_receive_user_skb(struct sk_buff *skb)
 {
 	struct nlmsghdr *nlh = nlmsg_hdr(skb);
 
-	if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
+	if (skb->len < sizeof(*nlh) ||
+	    nlh->nlmsg_len < sizeof(*nlh) ||
+	    skb->len < nlh->nlmsg_len)
 		return;
 
 	if (!netlink_capable(skb, CAP_NET_ADMIN))
-- 
2.13.1.508.gb3defc5cc-goog

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb
  2017-06-07 14:14 ` [PATCH v2] " Mateusz Jurczyk
@ 2017-06-07 14:18   ` Florian Westphal
  2017-06-07 14:41     ` Mateusz Jurczyk
  0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2017-06-07 14:18 UTC (permalink / raw)
  To: Mateusz Jurczyk
  Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
	David S. Miller, netfilter-devel, coreteam, linux-decnet-user,
	netdev, linux-kernel

Mateusz Jurczyk <mjurczyk@google.com> wrote:
> Verify that the length of the socket buffer is sufficient to cover the
> nlmsghdr structure before accessing the nlh->nlmsg_len field for further
> input sanitization. If the client only supplies 1-3 bytes of data in
> sk_buff, then nlh->nlmsg_len remains partially uninitialized and
> contains leftover memory from the corresponding kernel allocation.
> Operating on such data may result in indeterminate evaluation of the
> nlmsg_len < sizeof(*nlh) expression.
> 
> The bug was discovered by a runtime instrumentation designed to detect
> use of uninitialized memory in the kernel. The patch prevents this and
> other similar tools (e.g. KMSAN) from flagging this behavior in the future.

Instead of changing all the internal users wouldn't it be better
to add this check once in netlink_unicast_kernel?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb
  2017-06-07 14:18   ` Florian Westphal
@ 2017-06-07 14:41     ` Mateusz Jurczyk
  2017-06-08 14:39       ` David Miller
  0 siblings, 1 reply; 5+ messages in thread
From: Mateusz Jurczyk @ 2017-06-07 14:41 UTC (permalink / raw)
  To: Florian Westphal
  Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, David S. Miller,
	netfilter-devel, coreteam, linux-decnet-user, netdev,
	linux-kernel

On Wed, Jun 7, 2017 at 4:18 PM, Florian Westphal <fw@strlen.de> wrote:
> Mateusz Jurczyk <mjurczyk@google.com> wrote:
>> Verify that the length of the socket buffer is sufficient to cover the
>> nlmsghdr structure before accessing the nlh->nlmsg_len field for further
>> input sanitization. If the client only supplies 1-3 bytes of data in
>> sk_buff, then nlh->nlmsg_len remains partially uninitialized and
>> contains leftover memory from the corresponding kernel allocation.
>> Operating on such data may result in indeterminate evaluation of the
>> nlmsg_len < sizeof(*nlh) expression.
>>
>> The bug was discovered by a runtime instrumentation designed to detect
>> use of uninitialized memory in the kernel. The patch prevents this and
>> other similar tools (e.g. KMSAN) from flagging this behavior in the future.
>
> Instead of changing all the internal users wouldn't it be better
> to add this check once in netlink_unicast_kernel?
>

Perhaps. I must admit I'm not very familiar with this code
area/interface, so I preferred to fix the few specific cases instead
of submitting a general patch, which might have some unexpected side
effects, e.g. behavior different from one of the internal clients etc.

If you think one check in netlink_unicast_kernel is a better way to do
it, I'm happy to implement it like that.

Thanks,
Mateusz

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb
  2017-06-07 14:41     ` Mateusz Jurczyk
@ 2017-06-08 14:39       ` David Miller
  0 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2017-06-08 14:39 UTC (permalink / raw)
  To: mjurczyk
  Cc: fw, pablo, kadlec, netfilter-devel, coreteam, linux-decnet-user,
	netdev, linux-kernel

From: Mateusz Jurczyk <mjurczyk@google.com>
Date: Wed, 7 Jun 2017 16:41:57 +0200

> On Wed, Jun 7, 2017 at 4:18 PM, Florian Westphal <fw@strlen.de> wrote:
>> Mateusz Jurczyk <mjurczyk@google.com> wrote:
>>> Verify that the length of the socket buffer is sufficient to cover the
>>> nlmsghdr structure before accessing the nlh->nlmsg_len field for further
>>> input sanitization. If the client only supplies 1-3 bytes of data in
>>> sk_buff, then nlh->nlmsg_len remains partially uninitialized and
>>> contains leftover memory from the corresponding kernel allocation.
>>> Operating on such data may result in indeterminate evaluation of the
>>> nlmsg_len < sizeof(*nlh) expression.
>>>
>>> The bug was discovered by a runtime instrumentation designed to detect
>>> use of uninitialized memory in the kernel. The patch prevents this and
>>> other similar tools (e.g. KMSAN) from flagging this behavior in the future.
>>
>> Instead of changing all the internal users wouldn't it be better
>> to add this check once in netlink_unicast_kernel?
>>
> 
> Perhaps. I must admit I'm not very familiar with this code
> area/interface, so I preferred to fix the few specific cases instead
> of submitting a general patch, which might have some unexpected side
> effects, e.g. behavior different from one of the internal clients etc.
> 
> If you think one check in netlink_unicast_kernel is a better way to do
> it, I'm happy to implement it like that.

Until we decide to add the check to netlink_unicast_kernel(), I'm applying
this and queueing it up for -stable.

Thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2017-06-08 14:39 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-06-07 13:14 [PATCH] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb Mateusz Jurczyk
2017-06-07 14:14 ` [PATCH v2] " Mateusz Jurczyk
2017-06-07 14:18   ` Florian Westphal
2017-06-07 14:41     ` Mateusz Jurczyk
2017-06-08 14:39       ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).