diff mbox series

netlink: netlink_sendmsg: memset unused tail bytes in skb

Message ID 20210509121858.1232583-1-phil@philpotter.co.uk (mailing list archive)
State Changes Requested
Delegated to: Netdev Maintainers
Headers show
Series netlink: netlink_sendmsg: memset unused tail bytes in skb | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Guessed tree name to be net-next
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cc_maintainers warning 2 maintainers not CCed: fw@strlen.de marcelo.leitner@gmail.com
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 4 this patch: 4
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 4 this patch: 4
netdev/header_inline success Link

Commit Message

Phillip Potter May 9, 2021, 12:18 p.m. UTC
When allocating the skb within netlink_sendmsg, with certain supplied
len arguments, extra bytes are allocated at the end of the data buffer,
due to SKB_DATA_ALIGN giving a larger size within __alloc_skb for
alignment reasons. This means that after using skb_put with the same
len value and then copying data into the skb, the skb tail area is
non-zero in size and contains uninitialised bytes. Wiping this area
(if it exists) fixes a KMSAN-found uninit-value bug reported by syzbot at:
https://syzkaller.appspot.com/bug?id=3e63bcec536b7136b54c72e06adeb87dc6519f69

Reported-by: syzbot+a73d24a22eeeebe5f244@syzkaller.appspotmail.com
Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
---
 net/netlink/af_netlink.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Florian Westphal May 9, 2021, 1:10 p.m. UTC | #1
Phillip Potter <phil@philpotter.co.uk> wrote:
> When allocating the skb within netlink_sendmsg, with certain supplied
> len arguments, extra bytes are allocated at the end of the data buffer,
> due to SKB_DATA_ALIGN giving a larger size within __alloc_skb for
> alignment reasons. This means that after using skb_put with the same
> len value and then copying data into the skb, the skb tail area is
> non-zero in size and contains uninitialised bytes. Wiping this area
> (if it exists) fixes a KMSAN-found uninit-value bug reported by syzbot at:
> https://syzkaller.appspot.com/bug?id=3e63bcec536b7136b54c72e06adeb87dc6519f69

This patch papers over the real bug.

Please fix TIPC instead.
Incomplete patch as a starting point:

diff --git a/net/tipc/node.c b/net/tipc/node.c
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -2481,7 +2481,6 @@ int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)
 	struct net *net = genl_info_net(info);
 	struct nlattr *attrs[TIPC_NLA_LINK_MAX + 1];
 	struct tipc_nl_msg msg;
-	char *name;
 	int err;
 
 	msg.portid = info->snd_portid;
@@ -2499,13 +2498,11 @@ int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)
 	if (!attrs[TIPC_NLA_LINK_NAME])
 		return -EINVAL;
 
-	name = nla_data(attrs[TIPC_NLA_LINK_NAME]);
-
 	msg.skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
 	if (!msg.skb)
 		return -ENOMEM;
 
-	if (strcmp(name, tipc_bclink_name) == 0) {
+	if (nla_strcmp(attrs[TIPC_NLA_LINK_NAME], tipc_bclink_name) == 0) {
 		err = tipc_nl_add_bc_link(net, &msg, tipc_net(net)->bcl);
 		if (err)
 			goto err_free;


You will also need to change tipc_node_find_by_name() to pass the nla
attr.

Alternatively TIPC_NLA_LINK_NAME policy can be changed:

diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
--- a/net/tipc/netlink.c
+++ b/net/tipc/netlink.c
@@ -88,7 +88,7 @@ const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = {
 
 const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = {
        [TIPC_NLA_LINK_UNSPEC]          = { .type = NLA_UNSPEC },
-       [TIPC_NLA_LINK_NAME]            = { .type = NLA_STRING,
+       [TIPC_NLA_LINK_NAME]            = { .type = NLA_NUL_STRING,


... which makes it safe to treat the raw attribute payload as a c-string,
but this might break existing userspace applications.

Its probably a good idea to audit all NLA_STRING attributes in tipc for
similar problems.
Phillip Potter May 11, 2021, 10:17 p.m. UTC | #2
On Sun, May 09, 2021 at 03:10:51PM +0200, Florian Westphal wrote:
> Phillip Potter <phil@philpotter.co.uk> wrote:
> > When allocating the skb within netlink_sendmsg, with certain supplied
> > len arguments, extra bytes are allocated at the end of the data buffer,
> > due to SKB_DATA_ALIGN giving a larger size within __alloc_skb for
> > alignment reasons. This means that after using skb_put with the same
> > len value and then copying data into the skb, the skb tail area is
> > non-zero in size and contains uninitialised bytes. Wiping this area
> > (if it exists) fixes a KMSAN-found uninit-value bug reported by syzbot at:
> > https://syzkaller.appspot.com/bug?id=3e63bcec536b7136b54c72e06adeb87dc6519f69
> 
> This patch papers over the real bug.
> 
> Please fix TIPC instead.
> Incomplete patch as a starting point:
> 
> diff --git a/net/tipc/node.c b/net/tipc/node.c
> --- a/net/tipc/node.c
> +++ b/net/tipc/node.c
> @@ -2481,7 +2481,6 @@ int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)
>  	struct net *net = genl_info_net(info);
>  	struct nlattr *attrs[TIPC_NLA_LINK_MAX + 1];
>  	struct tipc_nl_msg msg;
> -	char *name;
>  	int err;
>  
>  	msg.portid = info->snd_portid;
> @@ -2499,13 +2498,11 @@ int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)
>  	if (!attrs[TIPC_NLA_LINK_NAME])
>  		return -EINVAL;
>  
> -	name = nla_data(attrs[TIPC_NLA_LINK_NAME]);
> -
>  	msg.skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
>  	if (!msg.skb)
>  		return -ENOMEM;
>  
> -	if (strcmp(name, tipc_bclink_name) == 0) {
> +	if (nla_strcmp(attrs[TIPC_NLA_LINK_NAME], tipc_bclink_name) == 0) {
>  		err = tipc_nl_add_bc_link(net, &msg, tipc_net(net)->bcl);
>  		if (err)
>  			goto err_free;
> 
> 
> You will also need to change tipc_node_find_by_name() to pass the nla
> attr.
> 
> Alternatively TIPC_NLA_LINK_NAME policy can be changed:
> 
> diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
> --- a/net/tipc/netlink.c
> +++ b/net/tipc/netlink.c
> @@ -88,7 +88,7 @@ const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = {
>  
>  const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = {
>         [TIPC_NLA_LINK_UNSPEC]          = { .type = NLA_UNSPEC },
> -       [TIPC_NLA_LINK_NAME]            = { .type = NLA_STRING,
> +       [TIPC_NLA_LINK_NAME]            = { .type = NLA_NUL_STRING,
> 
> 
> ... which makes it safe to treat the raw attribute payload as a c-string,
> but this might break existing userspace applications.
> 
> Its probably a good idea to audit all NLA_STRING attributes in tipc for
> similar problems.

Dear Florian,

Thank you for your feedback and code + suggestions, I will take a look at this over
the next few days and then resubmit.

Regards,
Phil
diff mbox series

Patch

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 3a62f97acf39..e54321b63f98 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1914,6 +1914,9 @@  static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
 		goto out;
 	}
 
+	if (skb->end - skb->tail)
+		memset(skb_tail_pointer(skb), 0, skb->end - skb->tail);
+
 	err = security_netlink_send(sk, skb);
 	if (err) {
 		kfree_skb(skb);