Re: [PATCH v2] netlink: Bounds-check struct nlmsgerr creation

From: Jozsef Kadlecsik
Date: Thu Sep 01 2022 - 03:25:51 EST


Hi,

On Wed, 31 Aug 2022, Kees Cook wrote:

> For 32-bit systems, it might be possible to wrap lnmsgerr content
> lengths beyond SIZE_MAX. Explicitly test for all overflows, and mark the
> memcpy() as being unable to internally diagnose overflows.
>
> This also excludes netlink from the coming runtime bounds check on
> memcpy(), since it's an unusual case of open-coded sizing and
> allocation. Avoid this future run-time warning:
>
> memcpy: detected field-spanning write (size 32) of single field "&errmsg->msg" at net/netlink/af_netlink.c:2447 (size 16)
>
> Cc: Jakub Kicinski <kuba@xxxxxxxxxx>
> Cc: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> Cc: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx>
> Cc: Florian Westphal <fw@xxxxxxxxx>
> Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
> Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
> Cc: Paolo Abeni <pabeni@xxxxxxxxxx>
> Cc: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
> Cc: netfilter-devel@xxxxxxxxxxxxxxx
> Cc: coreteam@xxxxxxxxxxxxx
> Cc: netdev@xxxxxxxxxxxxxxx
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
> ---
> v2: Rebased to -next
> v1: https://lore.kernel.org/lkml/20220901030610.1121299-3-keescook@xxxxxxxxxxxx
> ---
> net/netlink/af_netlink.c | 81 +++++++++++++++++++++++++---------------
> 1 file changed, 51 insertions(+), 30 deletions(-)

Could you add back the net/netfilter/ipset/ip_set_core.c part? Thanks!

Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary