[PATCH 0/2] netlink: Bounds-check struct nlmsgerr creation

From: Kees Cook
Date: Wed Aug 31 2022 - 23:06:28 EST

Next message: Kees Cook: "[PATCH 1/2] netlink: Bounds-check nlmsg_len()"
Previous message: 天赐张: "Re: [PATCH v2] ovl: Use current fsuid and fsgid in ovl_link()"
Next in thread: Kees Cook: "[PATCH 1/2] netlink: Bounds-check nlmsg_len()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

In order to avoid triggering the coming runtime memcpy() bounds checking,
the length of the destination needs to be "visible" to the compiler in
some way. However, netlink is constructed in a rather hidden fashion,
and my attempts to wrangle it have resulted in this series, which perform
explicit bounds checking before using unsafe_memcpy().

-Kees

Kees Cook (2):
netlink: Bounds-check nlmsg_len()
netlink: Bounds-check struct nlmsgerr creation

include/net/netlink.h | 10 ++++++-
net/netfilter/ipset/ip_set_core.c | 10 +++++--
net/netlink/af_netlink.c | 49 +++++++++++++++++++++----------
3 files changed, 49 insertions(+), 20 deletions(-)

--
2.34.1

Next message: Kees Cook: "[PATCH 1/2] netlink: Bounds-check nlmsg_len()"
Previous message: 天赐张: "Re: [PATCH v2] ovl: Use current fsuid and fsgid in ovl_link()"
Next in thread: Kees Cook: "[PATCH 1/2] netlink: Bounds-check nlmsg_len()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]