Re: [PATCH 01/32] netlink: Avoid memcpy() across flexible array boundary

[PATCH 00/32] Introduce flexible array struct memcpy() helpers · Kees Cook <hidden> · 2022-05-04
[PATCH 01/32] netlink: Avoid memcpy() across flexible array boundary · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 01/32] netlink: Avoid memcpy() across flexible array boundary · "Gustavo A. R. Silva" <gustavoars@kernel.org> · 2022-05-04
Re: [PATCH 01/32] netlink: Avoid memcpy() across flexible array boundary · Kees Cook <hidden> · 2022-05-04
[PATCH 04/32] fortify: Add run-time WARN for cross-field memcpy() · Kees Cook <hidden> · 2022-05-04
[PATCH 02/32] Introduce flexible array struct memcpy() helpers · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Johannes Berg <johannes@sipsolutions.net> · 2022-05-04
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Kees Cook <hidden> · 2022-05-04
RE: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · David Laight <hidden> · 2022-05-04
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Johannes Berg <johannes@sipsolutions.net> · 2022-05-05
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Keith Packard <keithp@keithp.com> · 2022-05-05
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Kees Cook <hidden> · 2022-05-05
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Keith Packard <keithp@keithp.com> · 2022-05-05
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Johannes Berg <johannes@sipsolutions.net> · 2022-05-05
RE: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · David Laight <hidden> · 2022-05-06
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Kees Cook <hidden> · 2022-05-05
[PATCH 05/32] brcmfmac: Use mem_to_flex_dup() with struct brcmf_fweh_queue_item · Kees Cook <hidden> · 2022-05-04
[PATCH 10/32] wcn36xx: Use mem_to_flex_dup() with struct wcn36xx_hal_ind_msg · Kees Cook <hidden> · 2022-05-04
[PATCH 14/32] af_unix: Use mem_to_flex_dup() with struct unix_address · Kees Cook <hidden> · 2022-05-04
[PATCH 11/32] nl80211: Use mem_to_flex_dup() with struct cfg80211_cqm_config · Kees Cook <hidden> · 2022-05-04
[PATCH 08/32] iwlwifi: mvm: Use mem_to_flex_dup() with struct ieee80211_key_conf · Kees Cook <hidden> · 2022-05-04
[PATCH 12/32] cfg80211: Use mem_to_flex_dup() with struct cfg80211_bss_ies · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 12/32] cfg80211: Use mem_to_flex_dup() with struct cfg80211_bss_ies · Johannes Berg <johannes@sipsolutions.net> · 2022-05-04
Re: [PATCH 12/32] cfg80211: Use mem_to_flex_dup() with struct cfg80211_bss_ies · Kees Cook <hidden> · 2022-05-04
[PATCH 06/32] iwlwifi: calib: Prepare to use mem_to_flex_dup() · Kees Cook <hidden> · 2022-05-04
[PATCH 07/32] iwlwifi: calib: Use mem_to_flex_dup() with struct iwl_calib_result · Kees Cook <hidden> · 2022-05-04
[PATCH 25/32] Drivers: hv: utils: Use mem_to_flex_dup() with struct cn_msg · Kees Cook <hidden> · 2022-05-04
[PATCH 26/32] ima: Use mem_to_flex_dup() with struct modsig · Kees Cook <hidden> · 2022-05-04
[PATCH 23/32] Bluetooth: Use mem_to_flex_dup() with struct hci_op_configure_data_path · Kees Cook <hidden> · 2022-05-04
[PATCH 21/32] soc: qcom: apr: Use mem_to_flex_dup() with struct apr_rx_buf · Kees Cook <hidden> · 2022-05-04
[PATCH 16/32] 802/mrp: Use mem_to_flex_dup() with struct mrp_attr · Kees Cook <hidden> · 2022-05-04
[PATCH 03/32] flex_array: Add Kunit tests · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 03/32] flex_array: Add Kunit tests · David Gow <hidden> · 2022-05-04
Re: [PATCH 03/32] flex_array: Add Kunit tests · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 03/32] flex_array: Add Kunit tests · Daniel Latypov <hidden> · 2022-05-04
[PATCH 19/32] afs: Use mem_to_flex_dup() with struct afs_acl · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 19/32] afs: Use mem_to_flex_dup() with struct afs_acl · David Howells <dhowells@redhat.com> · 2022-05-12
Re: [PATCH 19/32] afs: Use mem_to_flex_dup() with struct afs_acl · Kees Cook <hidden> · 2022-05-13
[PATCH 29/32] xtensa: Use mem_to_flex_dup() with struct property · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 29/32] xtensa: Use mem_to_flex_dup() with struct property · Rob Herring <robh@kernel.org> · 2022-05-04
[PATCH 15/32] 802/garp: Use mem_to_flex_dup() with struct garp_attr · Kees Cook <hidden> · 2022-05-04
[PATCH 20/32] ASoC: sigmadsp: Use mem_to_flex_dup() with struct sigmadsp_data · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 20/32] ASoC: sigmadsp: Use mem_to_flex_dup() with struct sigmadsp_data · Mark Brown <broonie@kernel.org> · 2022-05-04
[PATCH 18/32] firewire: Use __mem_to_flex_dup() with struct iso_interrupt_event · Kees Cook <hidden> · 2022-05-04
[PATCH 09/32] p54: Use mem_to_flex_dup() with struct p54_cal_database · Kees Cook <hidden> · 2022-05-04
[PATCH 17/32] net/flow_offload: Use mem_to_flex_dup() with struct flow_action_cookie · Kees Cook <hidden> · 2022-05-04
[PATCH 13/32] mac80211: Use mem_to_flex_dup() with several structs · Kees Cook <hidden> · 2022-05-04
[PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab · Paul Moore <paul@paul-moore.com> · 2022-05-04
Re: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab · "Gustavo A. R. Silva" <gustavoars@kernel.org> · 2022-05-05
Re: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab · Paul Moore <paul@paul-moore.com> · 2022-05-05
Re: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab · Kees Cook <hidden> · 2022-05-05
Re: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab · Paul Moore <paul@paul-moore.com> · 2022-05-05
Re: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab · "Gustavo A. R. Silva" <gustavoars@kernel.org> · 2022-05-06
[PATCH 22/32] atags_proc: Use mem_to_flex_dup() with struct buffer · Kees Cook <hidden> · 2022-05-04
[PATCH 32/32] esas2r: Use __mem_to_flex() with struct atto_ioctl · Kees Cook <hidden> · 2022-05-04
[PATCH 24/32] IB/hfi1: Use mem_to_flex_dup() for struct tid_rb_node · Kees Cook <hidden> · 2022-05-04
[PATCH 27/32] KEYS: Use mem_to_flex_dup() with struct user_key_payload · Kees Cook <hidden> · 2022-05-04
[PATCH 30/32] usb: gadget: f_fs: Use mem_to_flex_dup() with struct ffs_buffer · Kees Cook <hidden> · 2022-05-04
[PATCH 31/32] xenbus: Use mem_to_flex_dup() with struct read_buffer · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 00/32] Introduce flexible array struct memcpy() helpers · David Howells <dhowells@redhat.com> · 2022-05-12

From: Kees Cook <hidden>
Date: 2022-05-04 03:37:49
Also in: keyrings, linux-arm-msm, linux-bluetooth, linux-devicetree, linux-hardening, linux-hyperv, linux-integrity, linux-rdma, linux-scsi, linux-usb, linux-wireless, llvm, netdev, selinux, xen-devel

On Tue, May 03, 2022 at 10:31:05PM -0500, Gustavo A. R. Silva wrote:

On Tue, May 03, 2022 at 06:44:10PM -0700, Kees Cook wrote:
[...]

quoted

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 1b5a9c2e1c29..09346aee1022 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c

@@ -2445,7 +2445,10 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
 			  NLMSG_ERROR, payload, flags);
 	errmsg = nlmsg_data(rep);
 	errmsg->error = err;
-	memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) ? nlh->nlmsg_len : sizeof(*nlh));
+	errmsg->msg = *nlh;
+	if (payload > sizeof(*errmsg))
+		memcpy(errmsg->msg.nlmsg_payload, nlh->nlmsg_payload,
+		       nlh->nlmsg_len - sizeof(*nlh));

They have nlmsg_len()[1] for the length of the payload without the header:

/**
 * nlmsg_len - length of message payload
 * @nlh: netlink message header
 */
static inline int nlmsg_len(const struct nlmsghdr *nlh)
{
	return nlh->nlmsg_len - NLMSG_HDRLEN;
}

Oh, hm, yeah, that would be much cleaner. The relationship between
"payload" and nlmsg_len is confusing in here. :)

So, this should be simpler:

-	memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) ? nlh->nlmsg_len : sizeof(*nlh));
+	errmsg->msg = *nlh;
+	memcpy(errmsg->msg.nlmsg_payload, nlh->nlmsg_payload, nlmsg_len(nlh));

It's actually this case that triggered my investigation in __bos(1)'s
misbehavior around sub-structs, since this case wasn't getting silenced:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832

It still feels like it should be possible to get this right without
splitting the memcpy, though. Hmpf.

(would that function use some sanitization, though? what if nlmsg_len is
somehow manipulated to be less than NLMSG_HDRLEN?...)

Maybe something like:

static inline int nlmsg_len(const struct nlmsghdr *nlh)
{
	if (WARN_ON(nlh->nlmsg_len < NLMSG_HDRLEN))
		return 0;
	return nlh->nlmsg_len - NLMSG_HDRLEN;
}

quoted hunk ↗ jump to hunk

Also, it seems there is at least one more instance of this same issue:

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 16ae92054baa..d06184b94af5 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c

@@ -1723,7 +1723,8 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb,
                                  nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
                errmsg = nlmsg_data(rep);
                errmsg->error = ret;
-               memcpy(&errmsg->msg, nlh, nlh->nlmsg_len);
+               errmsg->msg = *nlh;
+               memcpy(errmsg->msg.nlmsg_payload, nlh->nlmsg_payload, nlmsg_len(nlh));

Ah, yes, nice catch!

                cmdattr = (void *)&errmsg->msg + min_len;

                ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, cmdattr,

--
Gustavo

[1] https://elixir.bootlin.com/linux/v5.18-rc5/source/include/net/netlink.h#L577

-- 
Kees Cook

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help