Received: by 10.223.185.116 with SMTP id b49csp326202wrg; Tue, 20 Feb 2018 22:10:01 -0800 (PST) X-Google-Smtp-Source: AH8x226GKQy5Emz7JTclo8nmS2+sNNdwwYE20iKWhNgEmDJOzEp6+9DNUNa1ZpiTCVq7v9q7GThV X-Received: by 2002:a17:902:5a5:: with SMTP id f34-v6mr2153260plf.134.1519193401691; Tue, 20 Feb 2018 22:10:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519193401; cv=none; d=google.com; s=arc-20160816; b=TR7Urh8afU05GSbNe+7bYXv1/gEijH0SwjbRQKYfkMAxztkOcGufggph4oPm4T2JpT 7Ae7fpytpAGkueb0Bs8tZMW4F95xa5RHJGk0Gbf6MyFodUobXZs6oEhdgCn2c9TMR+12 jNfAFl3eUaFCHRzosKRSJ0p3H2tE0EyL6gsol0Xrb2qiwNM8vZd76LzCUWQcB//sCgeJ 4FzwwS2NcPL5eALYD+ysFlw2q5TbfO9za6RAQlRrQMog0mvLLG+qnUqzPmP6Go74f8IO BIqE9LsHo/DlgzYLRgjjfszQx74Fv6vYI5NoqHb9v+HCIuWloVYi0u3svFS3HJuxDj3u vQrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :mime-version:dkim-signature:arc-authentication-results; bh=7ESAkkMjJpazfPEHiOBAQWM845nTF92j7jIUSDcYSaM=; b=qbbZS5ClsPO65bC7gtdSAhoALHnvHQ9gqqlg2F5oYo3eqm8QzmcgHu86e+e5t0zavv Tmog9AEZvM6aEppLHaZu0utWKJshr6dzsk0fFgfQ7bzcC60gKnBa8vAZEq5nXHu7M9y3 Rwocope/GlvrPaS81JClU+MGSjtw/9vaXlCElCtnaNHesB2rE9JlkjcXk6gYdEvG9Rx1 IKb9zhBvaHxMleJFuAeaU4CcXJzNQlHthsuMBMLubnT4tNzQ9NBe6ZD/eAQT0gpkNtG9 u8xErC8XbNy4BD6qEMRDZ1ZVB4KIKRVxlsHXxHG8lBomQH3UuU6BqSbm7qewiNLDkDiw oy6A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lGf3bk3J; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s13si1088987pfh.166.2018.02.20.22.09.47; Tue, 20 Feb 2018 22:10:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lGf3bk3J; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751619AbeBUGAc (ORCPT + 99 others); Wed, 21 Feb 2018 01:00:32 -0500 Received: from mail-vk0-f47.google.com ([209.85.213.47]:41858 "EHLO mail-vk0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750765AbeBUGAa (ORCPT ); Wed, 21 Feb 2018 01:00:30 -0500 Received: by mail-vk0-f47.google.com with SMTP id t201so302011vke.8 for ; Tue, 20 Feb 2018 22:00:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=7ESAkkMjJpazfPEHiOBAQWM845nTF92j7jIUSDcYSaM=; b=lGf3bk3JgF8tJtnuttBNmUE0dG6xrzakEDEtu57AHe9OMRnsgHneoA3LkrTQMkLnvl E9doX6KCBeQp3dVgvrlu/hUP/vro1HKdbg+hea37YUlsNiCM0fG3QG+F1tzgKOMZEC+l wCzGQrTkcxLwmjuojHrQKrgQhkiXRUCI66Ydnxz1rX7dB7hmou1RJbjJmXWxrIdT8HXy Yc8ZYbA5a2lERJqu5ivwUdXLwYrzu1QbeyQ87h7vByDD4BQe0fwC7Leg0hpTNovCgRRS UVlMGNXMP8lJ0EOEqfVUOburVpitk9FvJM58ykR/AofUcj3ODBDblNECnN2Q3FFm59Iv ExCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=7ESAkkMjJpazfPEHiOBAQWM845nTF92j7jIUSDcYSaM=; b=CcccmN7WHxAIog5VNiMJgcgpcRA/EK7ZcJq0IcVIR1b9Qnt8Cn7HJz7EP1QBY37ScF Oci282C7SAaoAohE+bhRuxcYWwtUrUvKNPqjmmlZJ4qfafIRfoHw2B4kxh6PYjD9to4y g3a0bJtJAeDiXGN8oPAKIxsd5cMV1gyJSEixqZ4OJL7Kl+5B7vxgUJjkXKqnYlBnv9/E M08hyErOgbTXTvAdNwCYzyvv/vSePY7kz3K2AG/icAjvLGuxsIjuXbjH2Xb+eVWnmZLM RE9Wotk/GnLU3hMbZq/Eg3f+84QoyxU94yt8Ahj3xXzWM0LwD28rvwH1ueMldrsFlwae 9aSQ== X-Gm-Message-State: APf1xPBmnsklLaHz+9MP5MivjXmWsOtQSaCDeNt/c4YgQ2FdXPjNZTRT /1bx9Bwl/tzsLoiTZvpwDGh//qOdT8JyhfmGxiLm2w== X-Received: by 10.31.228.199 with SMTP id b190mr1597391vkh.84.1519192828996; Tue, 20 Feb 2018 22:00:28 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.242.140 with HTTP; Tue, 20 Feb 2018 22:00:26 -0800 (PST) From: Kees Cook Date: Tue, 20 Feb 2018 22:00:26 -0800 Message-ID: Subject: nla_put_string() vs NLA_STRING To: Thomas Graf Cc: Johannes Berg , Daniel Borkmann , Alexei Starovoitov , Network Development , LKML , Daniel Micay Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, It seems that in at least one case[1], nla_put_string() is being used on an NLA_STRING, which lacks a NULL terminator, which leads to silliness when nla_put_string() uses strlen() to figure out the size: /** * nla_put_string - Add a string netlink attribute to a socket buffer * @skb: socket buffer to add attribute to * @attrtype: attribute type * @str: NUL terminated string */ static inline int nla_put_string(struct sk_buff *skb, int attrtype, const char *str) { return nla_put(skb, attrtype, strlen(str) + 1, str); } This is a problem at least here: struct regulatory_request { ... char alpha2[2]; ... static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = { ... [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 }, ... AIUI, working with NLA_STRING needs nla_strlcpy() to "extract" them, and that takes the nla_policy size normally to bounds-check the copy. So, this specific problem needs fixing (in at least two places calling nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, ...)). While I suspect it's only ever written an extra byte from the following variable in the structure which is an enum nl80211_dfs_regions, I worry there might be a lot more of these (though I'd hope unterminated strings are uncommon for internal representation). And more generally, it seems like only the NLA _input_ functions actually check nla_policy details. It seems that the output functions should do the same too, yes? -Kees [1] https://github.com/copperhead/linux-hardened/issues/72 -- Kees Cook Pixel Security