diff mbox series

[net] netlink: add nla be16/32 types to minlen array

Message ID 20240221172740.5092-1-fw@strlen.de (mailing list archive)
State Accepted
Commit 9a0d18853c280f6a0ee99f91619f2442a17a323a
Delegated to: Netdev Maintainers
Headers show
Series [net] netlink: add nla be16/32 types to minlen array | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 958 this patch: 958
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers fail 1 blamed authors not CCed: kuba@kernel.org; 2 maintainers not CCed: akpm@linux-foundation.org kuba@kernel.org
netdev/build_clang success Errors and warnings before: 974 this patch: 974
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 975 this patch: 975
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 16 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-02-23--03-00 (tests: 1457)

Commit Message

Florian Westphal Feb. 21, 2024, 5:27 p.m. UTC 
BUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline]
BUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline]
BUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline]
BUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631
 nla_validate_range_unsigned lib/nlattr.c:222 [inline]
 nla_validate_int_range lib/nlattr.c:336 [inline]
 validate_nla lib/nlattr.c:575 [inline]
...

The message in question matches this policy:

 [NFTA_TARGET_REV]       = NLA_POLICY_MAX(NLA_BE32, 255),

but because NLA_BE32 size in minlen array is 0, the validation
code will read past the malformed (too small) attribute.

Note: Other attributes, e.g. BITFIELD32, SINT, UINT.. are also missing:
those likely should be added too.

Reported-by: syzbot+3f497b07aa3baf2fb4d0@syzkaller.appspotmail.com
Reported-by: xingwei lee <xrivendell7@gmail.com>
Closes: https://lore.kernel.org/all/CABOYnLzFYHSnvTyS6zGa-udNX55+izqkOt2sB9WDqUcEGW6n8w@mail.gmail.com/raw
Fixes: ecaf75ffd5f5 ("netlink: introduce bigendian integer types")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 lib/nlattr.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Jakub Kicinski Feb. 23, 2024, 3:05 a.m. UTC | #1 
On Wed, 21 Feb 2024 18:27:33 +0100 Florian Westphal wrote:
> Note: Other attributes, e.g. BITFIELD32, SINT, UINT.. are also missing:
> those likely should be added too.

Not AFAICT, FWIW. The sizes of those are checked explicitly in
dedicated switch cases, rather than the default case. We could
still add them for the sake of nla_policy_len(), but not a fix.
patchwork-bot+netdevbpf@kernel.org Feb. 23, 2024, 3:10 a.m. UTC | #2 
Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 21 Feb 2024 18:27:33 +0100 you wrote:
> BUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline]
> BUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline]
> BUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline]
> BUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631
>  nla_validate_range_unsigned lib/nlattr.c:222 [inline]
>  nla_validate_int_range lib/nlattr.c:336 [inline]
>  validate_nla lib/nlattr.c:575 [inline]
> ...
> 
> [...]

Here is the summary with links:
  - [net] netlink: add nla be16/32 types to minlen array
    https://git.kernel.org/netdev/net/c/9a0d18853c28

You are awesome, thank you!
diff mbox series

Patch

diff --git a/lib/nlattr.c b/lib/nlattr.c
index ed2ab43e1b22..be9c576b6e2d 100644
--- a/lib/nlattr.c
+++ b/lib/nlattr.c
@@ -30,6 +30,8 @@  static const u8 nla_attr_len[NLA_TYPE_MAX+1] = {
 	[NLA_S16]	= sizeof(s16),
 	[NLA_S32]	= sizeof(s32),
 	[NLA_S64]	= sizeof(s64),
+	[NLA_BE16]	= sizeof(__be16),
+	[NLA_BE32]	= sizeof(__be32),
 };
 
 static const u8 nla_attr_minlen[NLA_TYPE_MAX+1] = {
@@ -43,6 +45,8 @@  static const u8 nla_attr_minlen[NLA_TYPE_MAX+1] = {
 	[NLA_S16]	= sizeof(s16),
 	[NLA_S32]	= sizeof(s32),
 	[NLA_S64]	= sizeof(s64),
+	[NLA_BE16]	= sizeof(__be16),
+	[NLA_BE32]	= sizeof(__be32),
 };
 
 /*