Re: [PATCH 1/2] netlink: Bounds-check nlmsg_len()

From: Eric Dumazet
Date: Thu Sep 01 2022 - 16:54:45 EST

Next message: Ceraolo Spurio, Daniele: "Re: [Intel-gfx] [PATCH v7 09/15] mei: bus: export common mkhi definitions into a separate header"
Previous message: Liam Howlett: "Re: [RFC PATCH RESEND 04/28] mm: move mmap_lock assert function definitions"
In reply to: Jakub Kicinski: "Re: [PATCH 1/2] netlink: Bounds-check nlmsg_len()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Sep 1, 2022 at 12:49 PM Jakub Kicinski <kuba@xxxxxxxxxx> wrote:
>
> On Wed, 31 Aug 2022 23:27:08 -0700 Kees Cook wrote:
> > This would catch corrupted values...
> >
> > Is the concern the growth in image size? The check_sub_overflow() isn't
> > large at all -- it's just adding a single overflow bit test. The WARNs
> > are heavier, but they're all out-of-line.
>
> It turns the most obvious function into a noodle bar :(
>
> Looking at this function in particular is quite useful, because
> it clearly indicates that the nlmsg_len includes the header.
>
> How about we throw in a
>
> WARN_ON_ONCE(nlh->nlmsg_len < NLMSG_HDRLEN ||
> nlh->nlmsg_len > INT_MAX);
>
> but leave the actual calculation human readable C?

This is inlined, and will add a lot of extra code. We are making the
kernel slower at each release.

What about letting fuzzers like syzbot find the potential issues ?

DEBUG_NET_WARN_ON_ONCE(...);

Next message: Ceraolo Spurio, Daniele: "Re: [Intel-gfx] [PATCH v7 09/15] mei: bus: export common mkhi definitions into a separate header"
Previous message: Liam Howlett: "Re: [RFC PATCH RESEND 04/28] mm: move mmap_lock assert function definitions"
In reply to: Jakub Kicinski: "Re: [PATCH 1/2] netlink: Bounds-check nlmsg_len()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]