Re: [PATCH net] net: netlink: prevent potential integer overflow in nlmsg_new()
From: Dan Carpenter
Date: Fri Jan 24 2025 - 09:35:42 EST
On Wed, Jan 22, 2025 at 06:24:27AM -0800, Jakub Kicinski wrote:
> On Wed, 22 Jan 2025 16:49:17 +0300 Dan Carpenter wrote:
> > The "payload" variable is type size_t, however the nlmsg_total_size()
> > function will a few bytes to it and then truncate the result to type
> > int. That means that if "payload" is more than UINT_MAX the alloc_skb()
> > function might allocate a buffer which is smaller than intended.
>
> Is there a bug, or is this theoretical?
The rule here is that if we pass something very close to UINT_MAX to
nlmsg_new() the it leads to an integer overflow. I'm not a networking
expert. The caller that concerned me was:
*** 1 ***
net/netfilter/ipset/ip_set_core.c
1762 /* Error in restore/batch mode: send back lineno */
1763 struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
1764 struct sk_buff *skb2;
1765 struct nlmsgerr *errmsg;
1766 size_t payload = min(SIZE_MAX,
1767 sizeof(*errmsg) + nlmsg_len(nlh));
I don't know the limits of limits of nlmsg_len() here.
The min(SIZE_MAX is what scared me. That was added to silence a Smatch
warning. :P It should be fixed or removed.
1768 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
1769 struct nlattr *cda[IPSET_ATTR_CMD_MAX + 1];
1770 struct nlattr *cmdattr;
1771 u32 *errline;
1772
1773 skb2 = nlmsg_new(payload, GFP_KERNEL);
1774 if (!skb2)
1775 return -ENOMEM;
*** 2 ***
There is similar code in netlink_ack() where the payload comes from
nlmsg_len(nlh).
*** 3 ***
There is a potential issue in queue_userspace_packet() when we call:
len = upcall_msg_size(upcall_info, hlen - cutlen, ...
^^^^^^^^^^^^^
user_skb = genlmsg_new(len, GFP_ATOMIC);
It's possible that hlen is less than cutlen. (That's a separate bug,
I'll send a fix for it).
regards,
dan carpenter