From patchwork Wed Feb 8 20:56:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilya Leoshkevich X-Patchwork-Id: 13133701 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 168CBC64EC4 for ; Wed, 8 Feb 2023 20:57:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232064AbjBHU52 (ORCPT ); Wed, 8 Feb 2023 15:57:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59398 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231637AbjBHU5W (ORCPT ); Wed, 8 Feb 2023 15:57:22 -0500 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2759646164 for ; Wed, 8 Feb 2023 12:57:15 -0800 (PST) Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 318JfhUw002299; Wed, 8 Feb 2023 20:57:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=hXJY65XzHh6IxUhP5fmVXPkmQ3duIWwmJ/iktABtGtg=; b=EnERI4SR4BJ3gFG1TRJ9iO1oJdDOF6VJvlcoNT+60VksZsATeOnogm5E88fyhF2Hj0Vu jLUyUwOrp/aevTSzKUk+QDgdVeMfW5mV6mKwl3YiP33rQ0J0x83PWqp+Q7aZTtUXm5y7 HmOOCRnOy6JjHWXtSbHeSOZMcnyiHUE6cZpYvlqBRsZqfJS47T6TtTbiAox8dm8M5il6 dhCQimRg9+1feWNNUf+Z7tUOky2JoI3DNDqZcJi1zNWpVFIaUd24oGt/QbksVZ3lYcGK osDy19pSedtnJPmgll0bS+3ngB7lWWns8vlOnGJIA75IiKvdaRCfruQ6sSQRHWZfnUrF MQ== Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3nmj47sr4c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 08 Feb 2023 20:57:01 +0000 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 31873AQ6002337; Wed, 8 Feb 2023 20:56:58 GMT Received: from smtprelay06.fra02v.mail.ibm.com ([9.218.2.230]) by ppma03ams.nl.ibm.com (PPS) with ESMTPS id 3nhf06nbem-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 08 Feb 2023 20:56:58 +0000 Received: from smtpav06.fra02v.mail.ibm.com (smtpav06.fra02v.mail.ibm.com [10.20.54.105]) by smtprelay06.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 318Kutlx23396950 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 8 Feb 2023 20:56:55 GMT Received: from smtpav06.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 41B8620043; Wed, 8 Feb 2023 20:56:55 +0000 (GMT) Received: from smtpav06.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AF30520040; Wed, 8 Feb 2023 20:56:54 +0000 (GMT) Received: from heavy.ibmuc.com (unknown [9.179.24.149]) by smtpav06.fra02v.mail.ibm.com (Postfix) with ESMTP; Wed, 8 Feb 2023 20:56:54 +0000 (GMT) From: Ilya Leoshkevich To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko Cc: bpf@vger.kernel.org, Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Ilya Leoshkevich Subject: [PATCH bpf-next 7/9] libbpf: Fix alen calculation in libbpf_nla_dump_errormsg() Date: Wed, 8 Feb 2023 21:56:40 +0100 Message-Id: <20230208205642.270567-8-iii@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230208205642.270567-1-iii@linux.ibm.com> References: <20230208205642.270567-1-iii@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: T0q5WIWuQV6Xft9sPKeWJlI6nVlB2N3K X-Proofpoint-ORIG-GUID: T0q5WIWuQV6Xft9sPKeWJlI6nVlB2N3K X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-08_09,2023-02-08_02,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 impostorscore=0 spamscore=0 mlxlogscore=999 adultscore=0 priorityscore=1501 phishscore=0 malwarescore=0 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302080175 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net The code assumes that everything that comes after nlmsgerr are nlattrs. When calculating their size, it does not account for the initial nlmsghdr. This may lead to accessing uninitialized memory. Signed-off-by: Ilya Leoshkevich --- tools/lib/bpf/nlattr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c index 3900d052ed19..c5da7662bb04 100644 --- a/tools/lib/bpf/nlattr.c +++ b/tools/lib/bpf/nlattr.c @@ -178,7 +178,7 @@ int libbpf_nla_dump_errormsg(struct nlmsghdr *nlh) hlen += nlmsg_len(&err->msg); attr = (struct nlattr *) ((void *) err + hlen); - alen = nlh->nlmsg_len - hlen; + alen = (char *)nlh + nlh->nlmsg_len - (char *)attr; if (libbpf_nla_parse(tb, NLMSGERR_ATTR_MAX, attr, alen, extack_policy) != 0) {