From: Kees Cook <keescook@chromium.org>
To: Sam Mendoza-Jonas <sam@mendozajonas.com>, Joel Stanley <joel@jms.id.au>
Cc: Networking <netdev@vger.kernel.org>, linux-hardening@vger.kernel.org
Subject: Re: warn in ncsi netlink code
Date: Mon, 21 Nov 2022 20:23:28 -0800 [thread overview]
Message-ID: <202211211936.9537DD8D@keescook> (raw)
In-Reply-To: <74BE39CB-E770-4526-9FCD-CC602178E26F@mendozajonas.com>
On Sun, Nov 20, 2022 at 11:27:14AM +1100, Sam Mendoza-Jonas wrote:
> On November 17, 2022 3:35:17 PM GMT+11:00, Joel Stanley <joel@jms.id.au> wrote:
> >next-20221114 running on an ast2600 system produced this:
> >
> >[ 44.627332] ------------[ cut here ]------------
> >[ 44.632657] WARNING: CPU: 0 PID: 508 at net/ncsi/ncsi-cmd.c:231 ncsi_cmd_handler_oem+0xbc/0xd0
> >[ 44.642387] memcpy: detected field-spanning write (size 7) of single field "&cmd->mfr_id" at net/ncsi/ncsi-cmd.c:231 (size 4)
> [...]
> >
> >The relevant code:
> >
> >static int ncsi_cmd_handler_oem(struct sk_buff *skb,
> > struct ncsi_cmd_arg *nca)
> >{
> > struct ncsi_cmd_oem_pkt *cmd;
> > unsigned int len;
> > int payload;
> > /* NC-SI spec DSP_0222_1.2.0, section 8.2.2.2
> > * requires payload to be padded with 0 to
> > * 32-bit boundary before the checksum field.
> > * Ensure the padding bytes are accounted for in
> > * skb allocation
> > */
> >
> > payload = ALIGN(nca->payload, 4);
> > len = sizeof(struct ncsi_cmd_pkt_hdr) + 4;
> > len += max(payload, padding_bytes);
> >
> > cmd = skb_put_zero(skb, len);
> > memcpy(&cmd->mfr_id, nca->data, nca->payload);
> > ncsi_cmd_build_header(&cmd->cmd.common, nca);
> >
> > return 0;
> >}
> >
> >I think it's copying the command payload to the command packet,
> >starting at the offset of mfr_id:
> >
> >struct ncsi_cmd_oem_pkt {
> > struct ncsi_cmd_pkt_hdr cmd; /* Command header */
> > __be32 mfr_id; /* Manufacture ID */
> > unsigned char data[]; /* OEM Payload Data */
> >};
> >
> >But I'm not too sure.
> >
> >Cheers,
> >
> >Joel
>
>
> While it looks a little gross I'm pretty sure this is the intended behavior for the OEM commands. We'll need to massage that into something nicer.
Hi!
Ah, yes, another case of deserializing into a flexible array structure.
It looks like payload length is kept in cmd.common.length, and has
been effectively bounds-checked.
Regardless, we've been handling this in a couple ways:
1) split the struct member write from the dynamically sized
portion of the write.
2) use unsafe_memcpy() with a good comment.
I'd like to be using a third option, a common deserializer[1], but it
doesn't exist yet. (This case would use the proposed mem_to_flex().)
In this case, since "payload" may be less than sizeof(mfr_id), I suspect
an unsafe_memcpy() is best.
-Kees
[1] https://lore.kernel.org/all/20220504014440.3697851-3-keescook@chromium.org/
--
Kees Cook
prev parent reply other threads:[~2022-11-22 4:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-17 4:35 warn in ncsi netlink code Joel Stanley
2022-11-20 0:27 ` Sam Mendoza-Jonas
2022-11-22 4:23 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202211211936.9537DD8D@keescook \
--to=keescook@chromium.org \
--cc=joel@jms.id.au \
--cc=linux-hardening@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sam@mendozajonas.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox