From mboxrd@z Thu Jan 1 00:00:00 1970 From: Roman Mashak Subject: Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL Date: Mon, 27 Aug 2018 10:26:03 -0400 Message-ID: <85zhx7zy10.fsf@mojatatu.com> References: <20180826055801.GA42063@beast> <20180826061534.GT6515@ZenIV.linux.org.uk> <5c88b08d-b9ca-f3df-ae78-cf685ee6723a@mojatatu.com> Mime-Version: 1.0 Content-Type: text/plain Cc: Jamal Hadi Salim , Al Viro , LKML , Cong Wang , Jiri Pirko , "David S. Miller" , Network Development To: Kees Cook Return-path: Received: from mail-io0-f195.google.com ([209.85.223.195]:34142 "EHLO mail-io0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727094AbeH0SM4 (ORCPT ); Mon, 27 Aug 2018 14:12:56 -0400 Received: by mail-io0-f195.google.com with SMTP id c22-v6so12968608iob.1 for ; Mon, 27 Aug 2018 07:26:05 -0700 (PDT) In-Reply-To: (Kees Cook's message of "Mon, 27 Aug 2018 07:08:22 -0700") Sender: netdev-owner@vger.kernel.org List-ID: Kees Cook writes: > On Mon, Aug 27, 2018 at 4:46 AM, Jamal Hadi Salim wrote: >> On 2018-08-26 5:56 p.m., Kees Cook wrote: >>> >>> On Sun, Aug 26, 2018 at 10:30 AM, Jamal Hadi Salim >>> wrote: >>>> >>>> We should add an nla_policy later. >>> >>> >>> What's the right way to do that for cases like this? >> >> >> Meant something like attached which you alluded-to in your comments >> would give an upper bound (Max allowed keys is 128). > > The problem is that policy doesn't parse the contents: "nkeys" > determines the size, so we have to both validate minimum size (to be > sure the location of "nkeys" is valid) and check that the size is at > least nkeys * struct long. I don't think there is a way to do this > with the existing policy language. While at these changes, could you also add and export in UAPI max allowed keys count, which is currently 128? For example, TCA_U32_NKEYS_MAX in pkt_cls.h