Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp4050176rwb; Sun, 9 Oct 2022 16:51:17 -0700 (PDT) X-Google-Smtp-Source: AMsMyM69GqZfbOAps0+4D2PFKec6xD6ntcoUbsJIQvwy3WBu1INh4pgzd8BxoW9T0dVWQ/+7sNIM X-Received: by 2002:a17:902:ccc4:b0:17c:7cc1:a401 with SMTP id z4-20020a170902ccc400b0017c7cc1a401mr16709548ple.58.1665359477669; Sun, 09 Oct 2022 16:51:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665359477; cv=none; d=google.com; s=arc-20160816; b=ShvL+RgA2nMKugesKBJKnnpxvT98lFyuR2yMDdwzwaa4nRbgyMFlBlEJnBuoXR7eMG 3KL4JAPqv/29DYEgJ5B5U2dt8Pmi25JAGtcFvjejaKz8RngZZtyl9V5sfiNC3LD/eq9Y Dx/GEnviE9pnfiHzIriG5gjQsrCaVQXtEeofqfuJFEEo5k9QH1qKquT/AwWZmpqMBv1t opaU9K/g69FHwmXSwB9Wq/rB5NVfTIA0vZyQRCJkMlRnarDO1mgQ/Kp2+xgrVGpTPt43 GDUrNp3ogIp+yvHgNW/YH5JYVARHTJoPHm0B5pONy0Ca9jE3t2gt53+N13Fs/iqFLWQD xWpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=n3Tj9MZAZnXCOKHlnUzwduuN3CeqWi2sbvmMAeCkNR4=; b=WzhFvH9qACS9MaD4lFT8xU9Mq7AQTpKCYn3ZJEq5PMV2byOBO0qSVUVZjVkJnpygQ4 hb8zkWxRbg01HvYFKODu7fZ4hR9+w0HKYP/8iNnsUVZaQAVcVzhPLVphLra3VKhQPsd7 yNnnn7zRwONISdFPkz9pNxPIrdMzewkxUgdh0l9CrDnl4XDY5F1FIo82Ob4FjXKVewFV k4qtd4Kq3hhaCuaTX0HAv+i+cO957kEEMhf1eowk5Q6r64QU4GHE83Rp7Ww8uj9pScaK 0xerxG0G7gIRIqabzOacwL5gf6yOf+j0wLMZgzI5YPi+8aEMaduH5LwnHICI4Nu+J5Nc V1eQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=MOcAfmjA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c3-20020a656743000000b0045abcc62064si10799719pgu.695.2022.10.09.16.51.06; Sun, 09 Oct 2022 16:51:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=MOcAfmjA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230442AbiJIWNn (ORCPT + 99 others); Sun, 9 Oct 2022 18:13:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41322 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231263AbiJIWNL (ORCPT ); Sun, 9 Oct 2022 18:13:11 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D0FF3135B; Sun, 9 Oct 2022 15:09:59 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 36E7260CA3; Sun, 9 Oct 2022 22:09:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 18EF2C433C1; Sun, 9 Oct 2022 22:09:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1665353394; bh=f2w/2K2Wr7zpiCFVTdrTiVCurVGndA9EOEHywhstOgA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MOcAfmjAFe5VBETnR68j4WY3sTWCQVJaOXGUBHozo/hwEq/TaximZtee+RtU9J6KA xjRBxAWf+FHgxN/mUMuQ5J9xfC4EEoHMMaz+q0vlyDeXx4vdQa9wHt80IPmfPJa5I9 gRuiz46m+1DXAk/aXCgV22O+tBYNNYioAV57uN3NG1dfyaqZqzBQiRAVWy71zmUoG4 QZsjWdeh7lsKG/bW+ngSNFB3kwT0RtyREz/oqbOjIAFQs6MWNHObsDtmJT0CccBpkb u3TECb+9HZW0ThRSdQ6IjiD4wr49xSCbnFxQZqggiJbugXf8qvGy+IOAn7zRWNn/mJ Jtzg3CQaSq/BA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Kees Cook , Jakub Kicinski , Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Eric Dumazet , Paolo Abeni , syzbot , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, Sasha Levin , wsa+renesas@sang-engineering.com, horms@verge.net.au, johannes@sipsolutions.net, socketcan@hartkopp.net, petrm@nvidia.com, harshit.m.mogalapalli@oracle.com Subject: [PATCH AUTOSEL 6.0 32/77] netlink: Bounds-check struct nlmsgerr creation Date: Sun, 9 Oct 2022 18:07:09 -0400 Message-Id: <20221009220754.1214186-32-sashal@kernel.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20221009220754.1214186-1-sashal@kernel.org> References: <20221009220754.1214186-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook [ Upstream commit 710d21fdff9a98d621cd4e64167f3ef8af4e2fd1 ] In preparation for FORTIFY_SOURCE doing bounds-check on memcpy(), switch from __nlmsg_put to nlmsg_put(), and explain the bounds check for dealing with the memcpy() across a composite flexible array struct. Avoids this future run-time warning: memcpy: detected field-spanning write (size 32) of single field "&errmsg->msg" at net/netlink/af_netlink.c:2447 (size 16) Cc: Jakub Kicinski Cc: Pablo Neira Ayuso Cc: Jozsef Kadlecsik Cc: Florian Westphal Cc: "David S. Miller" Cc: Eric Dumazet Cc: Paolo Abeni Cc: syzbot Cc: netfilter-devel@vger.kernel.org Cc: coreteam@netfilter.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220901071336.1418572-1-keescook@chromium.org Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/netfilter/ipset/ip_set_core.c | 8 +++++--- net/netlink/af_netlink.c | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index 16ae92054baa..6b31746f9be3 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c @@ -1719,11 +1719,13 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb, skb2 = nlmsg_new(payload, GFP_KERNEL); if (!skb2) return -ENOMEM; - rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid, - nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); + rep = nlmsg_put(skb2, NETLINK_CB(skb).portid, + nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); errmsg = nlmsg_data(rep); errmsg->error = ret; - memcpy(&errmsg->msg, nlh, nlh->nlmsg_len); + unsafe_memcpy(&errmsg->msg, nlh, nlh->nlmsg_len, + /* Bounds checked by the skb layer. */); + cmdattr = (void *)&errmsg->msg + min_len; ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, cmdattr, diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 0cd91f813a3b..d8d3ed2096a3 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -2440,11 +2440,13 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err, return; } - rep = __nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq, - NLMSG_ERROR, payload, flags); + rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq, + NLMSG_ERROR, payload, flags); errmsg = nlmsg_data(rep); errmsg->error = err; - memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) ? nlh->nlmsg_len : sizeof(*nlh)); + unsafe_memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) + ? nlh->nlmsg_len : sizeof(*nlh), + /* Bounds checked by the skb layer. */); if (nlk_has_extack && extack) { if (extack->_msg) { -- 2.35.1