* BROKEN Re: [PATCH] netlink: 2-clause nla_ok()
@ 2016-12-05 14:56 Alexey Dobriyan
2016-12-05 15:09 ` Johannes Berg
0 siblings, 1 reply; 4+ messages in thread
From: Alexey Dobriyan @ 2016-12-05 14:56 UTC (permalink / raw)
To: David Miller; +Cc: netdev
David, please do
git revert 4f7df337fe79bba1e4c2d525525d63b5ba186bbd
I'm an idiot.
All rationale in the commit would be correct if reading "nla_len"
didn't require memory access. But it does.
return rem >= (int)sizeof(*nla) &&
nla->nla_len >= sizeof(*nla) &&
nla->nla_len <= remaining;
Those logical ands ensure that memory access is not done
if "rem" is small enough to even fetch ->nla_len.
Maybe someone could vouch that other checks prevent
this kind of situation from happening but not me.
How very embarrassing.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: BROKEN Re: [PATCH] netlink: 2-clause nla_ok()
2016-12-05 14:56 BROKEN Re: [PATCH] netlink: 2-clause nla_ok() Alexey Dobriyan
@ 2016-12-05 15:09 ` Johannes Berg
2016-12-13 19:30 ` [PATCH net-next] netlink: revert broken, broken "2-clause nla_ok()" Alexey Dobriyan
0 siblings, 1 reply; 4+ messages in thread
From: Johannes Berg @ 2016-12-05 15:09 UTC (permalink / raw)
To: Alexey Dobriyan, David Miller; +Cc: netdev
> Maybe someone could vouch that other checks prevent
> this kind of situation from happening but not me.
No, now that you spell it out (and I see the patch) - this is
absolutely needed because nla_for_each_attr() [1] can be called on
arbitrary data coming from userspace in a message, e.g. by way
of nla_for_each_nested(). Even if it's not malformed, nla_ok() is the
only abort condition for that loop, so it would read at least one
nla_len after the real buffer without that condition.
johannes
[1] which seems to be the only significant user thereof
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH net-next] netlink: revert broken, broken "2-clause nla_ok()"
2016-12-05 15:09 ` Johannes Berg
@ 2016-12-13 19:30 ` Alexey Dobriyan
2016-12-13 19:55 ` David Miller
0 siblings, 1 reply; 4+ messages in thread
From: Alexey Dobriyan @ 2016-12-13 19:30 UTC (permalink / raw)
To: davem; +Cc: netdev, johannes
Commit 4f7df337fe79bba1e4c2d525525d63b5ba186bbd
"netlink: 2-clause nla_ok()" is BROKEN.
First clause tests if "->nla_len" could even be accessed at all,
it can not possibly be omitted.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---
include/net/netlink.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -698,7 +698,8 @@ static inline int nla_len(const struct nlattr *nla)
*/
static inline int nla_ok(const struct nlattr *nla, int remaining)
{
- return nla->nla_len >= sizeof(*nla) &&
+ return remaining >= (int) sizeof(*nla) &&
+ nla->nla_len >= sizeof(*nla) &&
nla->nla_len <= remaining;
}
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-12-13 20:04 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-12-05 14:56 BROKEN Re: [PATCH] netlink: 2-clause nla_ok() Alexey Dobriyan
2016-12-05 15:09 ` Johannes Berg
2016-12-13 19:30 ` [PATCH net-next] netlink: revert broken, broken "2-clause nla_ok()" Alexey Dobriyan
2016-12-13 19:55 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).