Re: [PATCH net] netlink: validate length of NLA_{BE16,BE32} types

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jiri Pirko <jiri@resnulli.us>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
	davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com,
	edumazet@google.com, fw@strlen.de
Subject: Re: [PATCH net] netlink: validate length of NLA_{BE16,BE32} types
Date: Mon, 26 Feb 2024 13:52:55 +0100	[thread overview]
Message-ID: <ZdyJp3kb--fjF09V@nanopsycho> (raw)
In-Reply-To: <20240225225845.45555-1-pablo@netfilter.org>

Sun, Feb 25, 2024 at 11:58:45PM CET, pablo@netfilter.org wrote:
>syzbot reports:
>
>=====================================================
>BUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline]
>BUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline]
>BUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline]
>BUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631
> nla_validate_range_unsigned lib/nlattr.c:222 [inline]
> nla_validate_int_range lib/nlattr.c:336 [inline]
> validate_nla lib/nlattr.c:575 [inline]
> __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631
> __nla_parse+0x5f/0x70 lib/nlattr.c:728
> nla_parse_deprecated include/net/netlink.h:703 [inline]
> nfnetlink_rcv_msg+0x723/0xde0 net/netfilter/nfnetlink.c:275
> netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2543
> nfnetlink_rcv+0x372/0x4950 net/netfilter/nfnetlink.c:659
> netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
> netlink_unicast+0xf49/0x1250 net/netlink/af_netlink.c:1367
> netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1908
> sock_sendmsg_nosec net/socket.c:730 [inline]
> __sock_sendmsg net/socket.c:745 [inline]
> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
> __sys_sendmsg net/socket.c:2667 [inline]
> __do_sys_sendmsg net/socket.c:2676 [inline]
> __se_sys_sendmsg net/socket.c:2674 [inline]
> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
>Uninit was created at:
> slab_post_alloc_hook mm/slub.c:3819 [inline]
> slab_alloc_node mm/slub.c:3860 [inline]
> kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
> __alloc_skb+0x352/0x790 net/core/skbuff.c:651
> alloc_skb include/linux/skbuff.h:1296 [inline]
> netlink_alloc_large_skb net/netlink/af_netlink.c:1213 [inline]
> netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1883
> sock_sendmsg_nosec net/socket.c:730 [inline]
> __sock_sendmsg net/socket.c:745 [inline]
> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
> __sys_sendmsg net/socket.c:2667 [inline]
> __do_sys_sendmsg net/socket.c:2676 [inline]
> __se_sys_sendmsg net/socket.c:2674 [inline]
> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
>NLA_BE16 and NLA_BE32 minimum attribute length is not validated, update
>nla_attr_len and nla_attr_minlen accordingly.
>
>After this update, kernel displays:
>
>  netlink: 'x': attribute type 2 has an invalid length.
>
>in case that the attribute payload is too small and it reports -ERANGE
>to userspace.
>
>Fixes: ecaf75ffd5f5 ("netlink: introduce bigendian integer types")
>Reported-by: syzbot+3f497b07aa3baf2fb4d0@syzkaller.appspotmail.com
>Reported-by: xingwei lee <xrivendell7@gmail.com>
>Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Reviewed-by: Jiri Pirko <jiri@nvidia.com>

next prev parent reply	other threads:[~2024-02-26 12:52 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-25 22:58 [PATCH net] netlink: validate length of NLA_{BE16,BE32} types Pablo Neira Ayuso
2024-02-26 12:52 ` Jiri Pirko [this message]
2024-02-26 13:04 ` Eric Dumazet
2024-02-26 15:18 ` Jakub Kicinski
2024-02-26 15:31   ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZdyJp3kb--fjF09V@nanopsycho \
    --to=jiri@resnulli.us \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=fw@strlen.de \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.