netlink: netlink_sendmsg: memset unused tail bytes in skb

Message ID	20210509121858.1232583-1-phil@philpotter.co.uk (mailing list archive)
State	Changes Requested
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> From: Phillip Potter <phil@philpotter.co.uk> To: davem@davemloft.net Cc: kuba@kernel.org, yhs@fb.com, ast@kernel.org, johannes.berg@intel.com, rdunlap@infradead.org, 0x7f454c46@gmail.com, yangyingliang@huawei.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] netlink: netlink_sendmsg: memset unused tail bytes in skb Date: Sun, 9 May 2021 13:18:58 +0100 Message-Id: <20210509121858.1232583-1-phil@philpotter.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	netlink: netlink_sendmsg: memset unused tail bytes in skb \| expand netlink: netlink_sendmsg: memset unused tail bytes in skb

Message ID

20210509121858.1232583-1-phil@philpotter.co.uk (mailing list archive)

State

Changes Requested

Delegated to:

Netdev Maintainers

Headers

From: Phillip Potter <phil@philpotter.co.uk>
To: davem@davemloft.net
Cc: kuba@kernel.org, yhs@fb.com, ast@kernel.org,
        johannes.berg@intel.com, rdunlap@infradead.org,
        0x7f454c46@gmail.com, yangyingliang@huawei.com,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] netlink: netlink_sendmsg: memset unused tail bytes in skb
Date: Sun,  9 May 2021 13:18:58 +0100
Message-Id: <20210509121858.1232583-1-phil@philpotter.co.uk>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

netlink: netlink_sendmsg: memset unused tail bytes in skb | expand

Checks

Context	Check	Description
netdev/cover_letter	success	Link
netdev/fixes_present	success	Link
netdev/patch_count	success	Link
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/subject_prefix	warning	Target tree name not specified in the subject
netdev/cc_maintainers	warning	2 maintainers not CCed: fw@strlen.de marcelo.leitner@gmail.com
netdev/source_inline	success	Was 0 now: 0
netdev/verify_signedoff	success	Link
netdev/module_param	success	Was 0 now: 0
netdev/build_32bit	success	Errors and warnings before: 4 this patch: 4
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/verify_fixes	success	Link
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/build_allmodconfig_warn	success	Errors and warnings before: 4 this patch: 4
netdev/header_inline	success	Link

Context

Check

Description

netdev/cover_letter

success

Link

netdev/fixes_present

success

Link

netdev/patch_count

success

Link

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/subject_prefix

warning

Target tree name not specified in the subject

netdev/cc_maintainers

warning

2 maintainers not CCed: fw@strlen.de marcelo.leitner@gmail.com

netdev/source_inline

success

Was 0 now: 0

netdev/verify_signedoff

success

Link

netdev/module_param

success

Was 0 now: 0

netdev/build_32bit

success

Errors and warnings before: 4 this patch: 4

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/verify_fixes

success

Link

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 9 lines checked

netdev/build_allmodconfig_warn

success

Errors and warnings before: 4 this patch: 4

netdev/header_inline

success

Link

Commit Message

Phillip Potter May 9, 2021, 12:18 p.m. UTC

When allocating the skb within netlink_sendmsg, with certain supplied
len arguments, extra bytes are allocated at the end of the data buffer,
due to SKB_DATA_ALIGN giving a larger size within __alloc_skb for
alignment reasons. This means that after using skb_put with the same
len value and then copying data into the skb, the skb tail area is
non-zero in size and contains uninitialised bytes. Wiping this area
(if it exists) fixes a KMSAN-found uninit-value bug reported by syzbot at:
https://syzkaller.appspot.com/bug?id=3e63bcec536b7136b54c72e06adeb87dc6519f69

Reported-by: syzbot+a73d24a22eeeebe5f244@syzkaller.appspotmail.com
Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
---
 net/netlink/af_netlink.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Florian Westphal May 9, 2021, 1:10 p.m. UTC | #1

Phillip Potter <phil@philpotter.co.uk> wrote:
> When allocating the skb within netlink_sendmsg, with certain supplied
> len arguments, extra bytes are allocated at the end of the data buffer,
> due to SKB_DATA_ALIGN giving a larger size within __alloc_skb for
> alignment reasons. This means that after using skb_put with the same
> len value and then copying data into the skb, the skb tail area is
> non-zero in size and contains uninitialised bytes. Wiping this area
> (if it exists) fixes a KMSAN-found uninit-value bug reported by syzbot at:
> https://syzkaller.appspot.com/bug?id=3e63bcec536b7136b54c72e06adeb87dc6519f69

This patch papers over the real bug.

Please fix TIPC instead.
Incomplete patch as a starting point:

diff --git a/net/tipc/node.c b/net/tipc/node.c
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -2481,7 +2481,6 @@ int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)
 	struct net *net = genl_info_net(info);
 	struct nlattr *attrs[TIPC_NLA_LINK_MAX + 1];
 	struct tipc_nl_msg msg;
-	char *name;
 	int err;
 
 	msg.portid = info->snd_portid;
@@ -2499,13 +2498,11 @@ int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)
 	if (!attrs[TIPC_NLA_LINK_NAME])
 		return -EINVAL;
 
-	name = nla_data(attrs[TIPC_NLA_LINK_NAME]);
-
 	msg.skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
 	if (!msg.skb)
 		return -ENOMEM;
 
-	if (strcmp(name, tipc_bclink_name) == 0) {
+	if (nla_strcmp(attrs[TIPC_NLA_LINK_NAME], tipc_bclink_name) == 0) {
 		err = tipc_nl_add_bc_link(net, &msg, tipc_net(net)->bcl);
 		if (err)
 			goto err_free;


You will also need to change tipc_node_find_by_name() to pass the nla
attr.

Alternatively TIPC_NLA_LINK_NAME policy can be changed:

diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
--- a/net/tipc/netlink.c
+++ b/net/tipc/netlink.c
@@ -88,7 +88,7 @@ const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = {
 
 const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = {
        [TIPC_NLA_LINK_UNSPEC]          = { .type = NLA_UNSPEC },
-       [TIPC_NLA_LINK_NAME]            = { .type = NLA_STRING,
+       [TIPC_NLA_LINK_NAME]            = { .type = NLA_NUL_STRING,


... which makes it safe to treat the raw attribute payload as a c-string,
but this might break existing userspace applications.

Its probably a good idea to audit all NLA_STRING attributes in tipc for
similar problems.

Phillip Potter May 11, 2021, 10:17 p.m. UTC | #2

On Sun, May 09, 2021 at 03:10:51PM +0200, Florian Westphal wrote:
> Phillip Potter <phil@philpotter.co.uk> wrote:
> > When allocating the skb within netlink_sendmsg, with certain supplied
> > len arguments, extra bytes are allocated at the end of the data buffer,
> > due to SKB_DATA_ALIGN giving a larger size within __alloc_skb for
> > alignment reasons. This means that after using skb_put with the same
> > len value and then copying data into the skb, the skb tail area is
> > non-zero in size and contains uninitialised bytes. Wiping this area
> > (if it exists) fixes a KMSAN-found uninit-value bug reported by syzbot at:
> > https://syzkaller.appspot.com/bug?id=3e63bcec536b7136b54c72e06adeb87dc6519f69
> 
> This patch papers over the real bug.
> 
> Please fix TIPC instead.
> Incomplete patch as a starting point:
> 
> diff --git a/net/tipc/node.c b/net/tipc/node.c
> --- a/net/tipc/node.c
> +++ b/net/tipc/node.c
> @@ -2481,7 +2481,6 @@ int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)
>  	struct net *net = genl_info_net(info);
>  	struct nlattr *attrs[TIPC_NLA_LINK_MAX + 1];
>  	struct tipc_nl_msg msg;
> -	char *name;
>  	int err;
>  
>  	msg.portid = info->snd_portid;
> @@ -2499,13 +2498,11 @@ int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)
>  	if (!attrs[TIPC_NLA_LINK_NAME])
>  		return -EINVAL;
>  
> -	name = nla_data(attrs[TIPC_NLA_LINK_NAME]);
> -
>  	msg.skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
>  	if (!msg.skb)
>  		return -ENOMEM;
>  
> -	if (strcmp(name, tipc_bclink_name) == 0) {
> +	if (nla_strcmp(attrs[TIPC_NLA_LINK_NAME], tipc_bclink_name) == 0) {
>  		err = tipc_nl_add_bc_link(net, &msg, tipc_net(net)->bcl);
>  		if (err)
>  			goto err_free;
> 
> 
> You will also need to change tipc_node_find_by_name() to pass the nla
> attr.
> 
> Alternatively TIPC_NLA_LINK_NAME policy can be changed:
> 
> diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
> --- a/net/tipc/netlink.c
> +++ b/net/tipc/netlink.c
> @@ -88,7 +88,7 @@ const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = {
>  
>  const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = {
>         [TIPC_NLA_LINK_UNSPEC]          = { .type = NLA_UNSPEC },
> -       [TIPC_NLA_LINK_NAME]            = { .type = NLA_STRING,
> +       [TIPC_NLA_LINK_NAME]            = { .type = NLA_NUL_STRING,
> 
> 
> ... which makes it safe to treat the raw attribute payload as a c-string,
> but this might break existing userspace applications.
> 
> Its probably a good idea to audit all NLA_STRING attributes in tipc for
> similar problems.

Dear Florian,

Thank you for your feedback and code + suggestions, I will take a look at this over
the next few days and then resubmit.

Regards,
Phil

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 3a62f97acf39..e54321b63f98 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1914,6 +1914,9 @@  static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
 		goto out;
 	}
 
+	if (skb->end - skb->tail)
+		memset(skb_tail_pointer(skb), 0, skb->end - skb->tail);
+
 	err = security_netlink_send(sk, skb);
 	if (err) {
 		kfree_skb(skb);