Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp725086rdb; Thu, 30 Nov 2023 17:25:28 -0800 (PST) X-Google-Smtp-Source: AGHT+IFnIHc+f5dN+7k69aWfr1H/kdYIfUyn8uxv7GiDJVsZhgRqZr+pa7Ypxov3SsF4wDcnUGRD X-Received: by 2002:a9d:68c1:0:b0:6d8:4373:b692 with SMTP id i1-20020a9d68c1000000b006d84373b692mr1476198oto.1.1701393928583; Thu, 30 Nov 2023 17:25:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701393928; cv=none; d=google.com; s=arc-20160816; b=g00WrnS/eqzR0DUYriDCzrww+cr19hQyxzQPjlgVesVB8rm7ml5mLzWGymaxXAT5ho +bxhLQsP4mmZf61KSHK6Dw3u0Nvr+AjxUpTr16y3RmL4ZaUaLoDrNjzaP/ewrpJMO66Y RfiB3Sdl68JnWCa1xELpi8TPInewyMU+8pZgdBxkXWjB0qv2RABly8fV7X5bAOkZ2ILU PuxZIAdWGFWd3kDpPc/8t5dW2l9ztxO9f2hJyAmp8wNhlDyaJOnZND0Pt6WK8WtqXweg YGiYuZsiNXFAfI/f7c1KiQNfuxL+lrxwfdMiaQMs0ZOG64B5T0fffesCzN3UlMc5CQkR TRPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=a3jMnJsNfkZotdyXZpnhqTFnP9B7tnJ7Sp42kUXanTk=; fh=EN1+PnvKdn4Mnl9NT4IZDzFcV6XEJ3EDYA++33PfDng=; b=rrDA9U20ih7KUZPyTgg/ZFdMKkP4QAIIWi5IXoJKKPmEsVVZvGx+XnCSfhrgs3lh2N rjLHfvgnf+g4NxPvRgjt4ljMG8nfPJi/5OoYf0Yjha5b0+lnSznkl18pQF/BhXapR0mN GRRpoVq0dvw1uFAA94RwKDFteRp3tWIHrqCjC2NbPHH59/zu/ouIhvPCDzDU186PHhPH Df9XHvjKQfibkrr914mHpwC1DVuCJMMlmozLSWhbqBDWmIUbzM5aL7hfpWw1bz9hYmrB 7bKIy7Xrbf8jUcjWZKPs15rRiGV2TF1UjAMQN770ZgJOSUMeTlJFzuW2wSMSdLpwACSU 8Z6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=qXgn6AmB; spf=pass (google.com: domain of linux-wireless+bounces-265-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-wireless+bounces-265-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id k20-20020a63d114000000b005c1c5d338a9si2411229pgg.658.2023.11.30.17.25.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Nov 2023 17:25:28 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless+bounces-265-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=qXgn6AmB; spf=pass (google.com: domain of linux-wireless+bounces-265-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-wireless+bounces-265-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id D1BF62816ED for ; Fri, 1 Dec 2023 01:25:26 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CC0D863A; Fri, 1 Dec 2023 01:25:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="qXgn6AmB" X-Original-To: linux-wireless@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A627117D9; Fri, 1 Dec 2023 01:25:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 92C4FC433C8; Fri, 1 Dec 2023 01:25:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1701393922; bh=pA9obsUKkI3gLtmE5e/MIgsUKhFNUSwkoGABXxOXVu4=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=qXgn6AmBfQ/Zd6RVRJTPsZAbwENL/P5ChNB5zVXW0us7mhGHTnTM9sNNTsCC9XQxN L1uGh4x2n2RNCNp1RMfq9bjsLjHILqLsFEDBfDoRuu5RbUweF3Qn4DCOZPuUtfOC/W cgLl/hy6IQQTBfTywH4xH6a7Ijlk+gb4RALHriraRg/4+zauwSA3WB9jIBHc6UvEMK pve1ll983tzlpGE+05zeqz0RtkS54rsaP4JSXJoyKf4BX+eaGsmizKzq1dj0/9ks0B AJIe6Qexsgf9KACjBa6OjE70PNGpb1hiWU6Y0mWHs9fPVNfTs8PGu3yaeu8pMQBDFs wTU9Lq7vBbWSw== Date: Thu, 30 Nov 2023 17:25:20 -0800 From: Jakub Kicinski To: Kees Cook Cc: kernel test robot , "David S. Miller" , Eric Dumazet , Paolo Abeni , Johannes Berg , Jeff Johnson , Michael Walle , Max Schulze , netdev@vger.kernel.org, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] netlink: Return unsigned value for nla_len() Message-ID: <20231130172520.5a56ae50@kernel.org> In-Reply-To: <20231130200058.work.520-kees@kernel.org> References: <20231130200058.work.520-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Thu, 30 Nov 2023 12:01:01 -0800 Kees Cook wrote: > This has the additional benefit of being defensive in the face of nlattr > corruption or logic errors (i.e. nla_len being set smaller than > NLA_HDRLEN). As Johannes predicted I'd rather not :( The callers should put the nlattr thru nla_ok() during validation (nla_validate()), or walking (nla_for_each_* call nla_ok()). > -static inline int nla_len(const struct nlattr *nla) > +static inline u16 nla_len(const struct nlattr *nla) > { > - return nla->nla_len - NLA_HDRLEN; > + return nla->nla_len > NLA_HDRLEN ? nla->nla_len - NLA_HDRLEN : 0; > } Note the the NLA_HDRLEN is the length of struct nlattr. I mean of the @nla object that gets passed in as argument here. So accepting that nla->nla_len may be < NLA_HDRLEN means that we are okay with dereferencing a truncated object... We can consider making the return unsinged without the condition maybe? -- pw-bot: cr