From: Jakub Kicinski <kuba@kernel.org>
To: Zahari Doychev <zahari.doychev@linux.com>
Cc: donald.hunter@gmail.com, davem@davemloft.net,
edumazet@google.com, pabeni@redhat.com, horms@kernel.org,
jacob.e.keller@intel.com, ast@fiberby.net, matttbe@kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us,
johannes@sipsolutions.net
Subject: Re: [PATCH 2/4] tools: ynl: zero-initialize struct ynl_sock memory
Date: Tue, 21 Oct 2025 16:22:09 -0700 [thread overview]
Message-ID: <20251021162209.73215f57@kernel.org> (raw)
In-Reply-To: <7mgcwqzafkqheqmbvkdx6bfeugfkuqrgik6ipdoxy3rtvinkqq@uxwnz7243zec>
On Tue, 21 Oct 2025 20:36:38 +0300 Zahari Doychev wrote:
> On Mon, Oct 20, 2025 at 04:16:39PM -0700, Jakub Kicinski wrote:
> > On Sat, 18 Oct 2025 17:17:35 +0200 Zahari Doychev wrote:
> > > The memory belonging to tx_buf and rx_buf in ynl_sock is not
> > > initialized after allocation. This commit ensures the entire
> > > allocated memory is set to zero.
> > >
> > > When asan is enabled, uninitialized bytes may contain poison values.
> > > This can cause failures e.g. when doing ynl_attr_put_str then poisoned
> > > bytes appear after the null terminator. As a result, tc filter addition
> > > may fail.
> >
> > We add strings with the null-terminating char, AFAICT.
> > Do you mean that the poison value appears in the padding?
> >
>
> Yes, correct. The function nla_strcmp(...) does not match in this case as
> the poison value appears in the padding after the null byte.
>
> > > Signed-off-by: Zahari Doychev <zahari.doychev@linux.com>
> > > ---
> > > tools/net/ynl/lib/ynl.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/tools/net/ynl/lib/ynl.c b/tools/net/ynl/lib/ynl.c
> > > index 2bcd781111d7..16a4815d6a49 100644
> > > --- a/tools/net/ynl/lib/ynl.c
> > > +++ b/tools/net/ynl/lib/ynl.c
> > > @@ -744,7 +744,7 @@ ynl_sock_create(const struct ynl_family *yf, struct ynl_error *yse)
> > > ys = malloc(sizeof(*ys) + 2 * YNL_SOCKET_BUFFER_SIZE);
> > > if (!ys)
> > > return NULL;
> > > - memset(ys, 0, sizeof(*ys));
> > > + memset(ys, 0, sizeof(*ys) + 2 * YNL_SOCKET_BUFFER_SIZE);
> >
> > This is just clearing the buffer initially, it can be used for multiple
> > requests. This change is no good as is.
>
> I see. Should then the ynl_attr_put_str be changed to zero the padding
> bytes or it is better to make sure the buffers are cleared for each
> request?
Eek, I think the bug is in how ynl_attr_put_str() computes len.
len is attr len, it should not include padding.
At the same time we should probably zero-terminate the strings
in case kernel wants NLA_NUL_STRING.
Just for illustration -- I think we should do something like
the following, please turn this into a real patch if it makes sense:
diff --git a/tools/net/ynl/lib/ynl-priv.h b/tools/net/ynl/lib/ynl-priv.h
index 29481989ea76..515c6d12f68a 100644
--- a/tools/net/ynl/lib/ynl-priv.h
+++ b/tools/net/ynl/lib/ynl-priv.h
@@ -314,14 +314,14 @@ ynl_attr_put_str(struct nlmsghdr *nlh, unsigned int attr_type, const char *str)
size_t len;
len = strlen(str);
- if (__ynl_attr_put_overflow(nlh, len))
+ if (__ynl_attr_put_overflow(nlh, len + 1))
return;
attr = (struct nlattr *)ynl_nlmsg_end_addr(nlh);
attr->nla_type = attr_type;
strcpy((char *)ynl_attr_data(attr), str);
- attr->nla_len = NLA_HDRLEN + NLA_ALIGN(len);
+ attr->nla_len = NLA_HDRLEN + len + 1;
nlh->nlmsg_len += NLMSG_ALIGN(attr->nla_len);
next prev parent reply other threads:[~2025-10-21 23:22 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-18 15:17 [PATCH 0/4] tools: ynl: Fix tc filters with actions Zahari Doychev
2025-10-18 15:17 ` [PATCH 1/4] ynl: samples: add tc filter add example Zahari Doychev
2025-10-20 23:20 ` Jakub Kicinski
2025-10-21 17:21 ` Zahari Doychev
2025-10-18 15:17 ` [PATCH 2/4] tools: ynl: zero-initialize struct ynl_sock memory Zahari Doychev
2025-10-20 23:16 ` Jakub Kicinski
2025-10-21 17:36 ` Zahari Doychev
2025-10-21 23:22 ` Jakub Kicinski [this message]
2025-10-22 19:59 ` Zahari Doychev
2025-10-18 15:17 ` [PATCH 3/4] tools: ynl: call nested attribute free function for indexed arrays Zahari Doychev
2025-10-20 23:19 ` Jakub Kicinski
2025-10-18 15:17 ` [PATCH 4/4] tools: ynl: add start-index property " Zahari Doychev
2025-10-20 23:32 ` Jakub Kicinski
2025-10-21 17:50 ` Zahari Doychev
2025-10-21 22:52 ` Asbjørn Sloth Tønnesen
2025-10-21 23:24 ` Jakub Kicinski
2025-10-22 19:37 ` Asbjørn Sloth Tønnesen
2025-10-22 20:03 ` Zahari Doychev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251021162209.73215f57@kernel.org \
--to=kuba@kernel.org \
--cc=ast@fiberby.net \
--cc=davem@davemloft.net \
--cc=donald.hunter@gmail.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jacob.e.keller@intel.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=matttbe@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=xiyou.wangcong@gmail.com \
--cc=zahari.doychev@linux.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).