From patchwork Fri Feb 10 00:12:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilya Leoshkevich X-Patchwork-Id: 13135256 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53DD9C636D6 for ; Fri, 10 Feb 2023 00:12:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229762AbjBJAM6 (ORCPT ); Thu, 9 Feb 2023 19:12:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229809AbjBJAM5 (ORCPT ); Thu, 9 Feb 2023 19:12:57 -0500 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0B0E26BA92 for ; Thu, 9 Feb 2023 16:12:55 -0800 (PST) Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 31A0CU9D008331; Fri, 10 Feb 2023 00:12:43 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=JJkwJpMKTrd5hYhEpRZnI/k0NbMjJwk5F85j20ZEstY=; b=AzuOl9DUdHybe/HEijQA8E1LZDFWC4eAh2OPpysGh8dulQ7vKHND9P+z8xlDIVmUncQy ZN+byti5vMzmLPTzTRfS5AWh65jJqbc45S2o+vSVhV0MwFUog72hx3kclkxCKOSBDCFt 9SpIWbnJRrq/nTl71Vsj3FW+AwQzLMBq8tpS6t8IlvUFXgKKD5+H/Ra2mikVVp4rZcIR yZzgyLETwvgGTkRu7BXvWWsHWccCpQhDynXvnWs1VbGy+XlJVFrNPKMOnzE9sGLPVY2B y8JPCDyJO5FHnojlL8Uxg1L6N17LISFeZehzi3nTT9h/ciXr3LujHfcjW9FZXOhYC260 kw== Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3nnb61803p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Feb 2023 00:12:43 +0000 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 319CkNqY023807; Fri, 10 Feb 2023 00:12:40 GMT Received: from smtprelay01.fra02v.mail.ibm.com ([9.218.2.227]) by ppma04ams.nl.ibm.com (PPS) with ESMTPS id 3nhf06xt66-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Feb 2023 00:12:40 +0000 Received: from smtpav01.fra02v.mail.ibm.com (smtpav01.fra02v.mail.ibm.com [10.20.54.100]) by smtprelay01.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 31A0CbiW46203194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Feb 2023 00:12:37 GMT Received: from smtpav01.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4E8AB20040; Fri, 10 Feb 2023 00:12:37 +0000 (GMT) Received: from smtpav01.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B2BD32004D; Fri, 10 Feb 2023 00:12:36 +0000 (GMT) Received: from heavy.ibmuc.com (unknown [9.171.74.186]) by smtpav01.fra02v.mail.ibm.com (Postfix) with ESMTP; Fri, 10 Feb 2023 00:12:36 +0000 (GMT) From: Ilya Leoshkevich To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko Cc: bpf@vger.kernel.org, Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Ilya Leoshkevich Subject: [PATCH bpf-next v2 07/16] libbpf: Fix alen calculation in libbpf_nla_dump_errormsg() Date: Fri, 10 Feb 2023 01:12:01 +0100 Message-Id: <20230210001210.395194-8-iii@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230210001210.395194-1-iii@linux.ibm.com> References: <20230210001210.395194-1-iii@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: iKPTe_YfNOQ6wb2zUiJh50MxTa7JZ9Li X-Proofpoint-ORIG-GUID: iKPTe_YfNOQ6wb2zUiJh50MxTa7JZ9Li X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.170.22 definitions=2023-02-09_16,2023-02-09_03,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 suspectscore=0 priorityscore=1501 clxscore=1015 adultscore=0 mlxlogscore=999 malwarescore=0 lowpriorityscore=0 mlxscore=0 bulkscore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302090217 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net The code assumes that everything that comes after nlmsgerr are nlattrs. When calculating their size, it does not account for the initial nlmsghdr. This may lead to accessing uninitialized memory. Signed-off-by: Ilya Leoshkevich --- tools/lib/bpf/nlattr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c index 3900d052ed19..975e265eab3b 100644 --- a/tools/lib/bpf/nlattr.c +++ b/tools/lib/bpf/nlattr.c @@ -178,7 +178,7 @@ int libbpf_nla_dump_errormsg(struct nlmsghdr *nlh) hlen += nlmsg_len(&err->msg); attr = (struct nlattr *) ((void *) err + hlen); - alen = nlh->nlmsg_len - hlen; + alen = (void *)nlh + nlh->nlmsg_len - (void *)attr; if (libbpf_nla_parse(tb, NLMSGERR_ATTR_MAX, attr, alen, extack_policy) != 0) {