Re: [PATCH 1/2] netlink: Bounds-check nlmsg_len()

From: Jakub Kicinski
Date: Wed Aug 31 2022 - 23:18:44 EST

Next message: Li Zhijian: "[PATCH v2] selftests: pidfd: Fix compling warnings"
Previous message: Chen-Yu Tsai: "Re: [PATCH] Revert "clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops""
In reply to: Kees Cook: "[PATCH 1/2] netlink: Bounds-check nlmsg_len()"
Next in thread: Kees Cook: "[PATCH 2/2] netlink: Bounds-check struct nlmsgerr creation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 31 Aug 2022 20:06:09 -0700 Kees Cook wrote:
> static inline int nlmsg_len(const struct nlmsghdr *nlh)
> {
> - return nlh->nlmsg_len - NLMSG_HDRLEN;
> + u32 nlmsg_contents_len;
> +
> + if (WARN_ON_ONCE(check_sub_overflow(nlh->nlmsg_len,
> + (u32)NLMSG_HDRLEN,
> + &nlmsg_contents_len)))
> + return 0;
> + if (WARN_ON_ONCE(nlmsg_contents_len > INT_MAX))
> + return INT_MAX;
> + return nlmsg_contents_len;

We check the messages on input, making sure the length is valid wrt
skb->len, and sane, ie > NLMSG_HDRLEN. See netlink_rcv_skb().

Can we not, pretty please? :(

Next message: Li Zhijian: "[PATCH v2] selftests: pidfd: Fix compling warnings"
Previous message: Chen-Yu Tsai: "Re: [PATCH] Revert "clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops""
In reply to: Kees Cook: "[PATCH 1/2] netlink: Bounds-check nlmsg_len()"
Next in thread: Kees Cook: "[PATCH 2/2] netlink: Bounds-check struct nlmsgerr creation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]