Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752640AbdF0P6e (ORCPT ); Tue, 27 Jun 2017 11:58:34 -0400 Received: from mail.us.es ([193.147.175.20]:48820 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751776AbdF0P6d (ORCPT ); Tue, 27 Jun 2017 11:58:33 -0400 Date: Tue, 27 Jun 2017 17:58:25 +0200 From: Pablo Neira Ayuso To: Mateusz Jurczyk Cc: Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv Message-ID: <20170627155825.GA4885@salvia> References: <1496841821.736.35.camel@edumazet-glaptop3.roam.corp.google.com> <20170607135038.1592-1-mjurczyk@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170607135038.1592-1-mjurczyk@google.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 775 Lines: 14 On Wed, Jun 07, 2017 at 03:50:38PM +0200, Mateusz Jurczyk wrote: > Verify that the length of the socket buffer is sufficient to cover the > nlmsghdr structure before accessing the nlh->nlmsg_len field for further > input sanitization. If the client only supplies 1-3 bytes of data in > sk_buff, then nlh->nlmsg_len remains partially uninitialized and > contains leftover memory from the corresponding kernel allocation. > Operating on such data may result in indeterminate evaluation of the > nlmsg_len < NLMSG_HDRLEN expression. > > The bug was discovered by a runtime instrumentation designed to detect > use of uninitialized memory in the kernel. The patch prevents this and > other similar tools (e.g. KMSAN) from flagging this behavior in the future. Applied, thanks.