Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL

From: Kees Cook
Date: Mon Aug 27 2018 - 10:08:29 EST

Next message: Marcel Ziswiler: "Re: [PATCH v2 00/40] Tegra SDHCI add support for HS200 and UHS signaling"
Previous message: Tejun Heo: "Re: [PATCHv3] Fix range checks in kernfs_get_target_path"
In reply to: Jamal Hadi Salim: "Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL"
Next in thread: Roman Mashak: "Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 27, 2018 at 4:46 AM, Jamal Hadi Salim <jhs@xxxxxxxxxxxx> wrote:
> On 2018-08-26 5:56 p.m., Kees Cook wrote:
>>
>> On Sun, Aug 26, 2018 at 10:30 AM, Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
>> wrote:
>>>
>>> We should add an nla_policy later.
>>
>>
>> What's the right way to do that for cases like this?
>
>
> Meant something like attached which you alluded-to in your comments
> would give an upper bound (Max allowed keys is 128).

The problem is that policy doesn't parse the contents: "nkeys"
determines the size, so we have to both validate minimum size (to be
sure the location of "nkeys" is valid) and check that the size is at
least nkeys * struct long. I don't think there is a way to do this
with the existing policy language.

-Kees

--
Kees Cook
Pixel Security

Next message: Marcel Ziswiler: "Re: [PATCH v2 00/40] Tegra SDHCI add support for HS200 and UHS signaling"
Previous message: Tejun Heo: "Re: [PATCHv3] Fix range checks in kernfs_get_target_path"
In reply to: Jamal Hadi Salim: "Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL"
Next in thread: Roman Mashak: "Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]