On Thu, Jun 29, 2017 at 6:22 PM, Pablo Neira Ayuso [off-list ref] wrote:

On Tue, Jun 27, 2017 at 07:05:27PM +0200, Pablo Neira Ayuso wrote:

quoted

On Tue, Jun 27, 2017 at 05:58:25PM +0200, Pablo Neira Ayuso wrote:

quoted

On Wed, Jun 07, 2017 at 03:50:38PM +0200, Mateusz Jurczyk wrote:

quoted

Verify that the length of the socket buffer is sufficient to cover the
nlmsghdr structure before accessing the nlh->nlmsg_len field for further
input sanitization. If the client only supplies 1-3 bytes of data in
sk_buff, then nlh->nlmsg_len remains partially uninitialized and
contains leftover memory from the corresponding kernel allocation.
Operating on such data may result in indeterminate evaluation of the
nlmsg_len < NLMSG_HDRLEN expression.

The bug was discovered by a runtime instrumentation designed to detect
use of uninitialized memory in the kernel. The patch prevents this and
other similar tools (e.g. KMSAN) from flagging this behavior in the future.

Applied, thanks.

Wait, I keeping this back after closer look.

I think we have to remove this:

        if (nlh->nlmsg_len < NLMSG_HDRLEN || <---
            skb->len < NLMSG_HDRLEN + sizeof(struct nfgenmsg))
                return;

in nfnetlink_rcv_skb_batch()

now that we make this unfront check from nfnetlink_rcv().

BTW, I can just mangle your patch here to delete such line to speed up
things. See the mangled patch that is attached to this email.

Sure, I think the condition in nfnetlink_rcv_skb_batch() can be now
safely removed. Feel free to proceed with the mangled patch. Thanks.