Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp1252508rdb;
        Fri, 1 Dec 2023 10:45:10 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGiKDhaJ6VFRuwRm2DUqRhHcXRWgquVGsFpv34cRR70IDhGIcubzO+DiFOwpsOTg3Yhbr4R
X-Received: by 2002:a05:6871:5c43:b0:1fa:fb60:b3e4 with SMTP id os3-20020a0568715c4300b001fafb60b3e4mr1764791oac.22.1701456309840;
        Fri, 01 Dec 2023 10:45:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1701456309; cv=none;
        d=google.com; s=arc-20160816;
        b=VPRzDgMmAWb2ttO6TvgPLCaYFvJWHNLuA11OcsaenwctR78ykEJrSfczecM5eYE3jm
         YiduKkWexaHZZBTZXkS/MPnNQ4+hINNxzCPIpQE0Lh6mt9l7DoJzNsz3s9rP1EMy22cZ
         8dIEUTPTGAm4P1zSj8PikBEaR+X3p0OuLCoSXivfK6rGHUCkg+ks+MXZWfz6zqg404kw
         80680SYo1xCmgVL5ry9DK+cEo5QI7kls1UDtgxWEb9/sx+aN3kSUoAhCdYM8PirvbhO/
         OAcYv7wKObKETMQwBn0G6pcNw5dyPtqkBvAzxGhsqxPFN0hGHLXSoMOasyoiG75VCxBJ
         cKJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :subject:cc:to:from:date:dkim-signature;
        bh=7cyeRMOO6TLSvFw1XWhki6dHbthLgA98RCCABbJ077g=;
        fh=EN1+PnvKdn4Mnl9NT4IZDzFcV6XEJ3EDYA++33PfDng=;
        b=D+MlhAgPEjmMC0pP/xJW/yhiNiHPK1wSb9nlYkwJxsBVO3Oer+hyzuyWf8wVUdEoq5
         K1fMOuD83VYUmnu9OnWOtWkS4Vbau023kKFa3FrnzXYj2tMNAeNuonCwD99omnl6gDKL
         MbWRZ5va8T96+zJTjVqG0ondycH/1DuWOj3aZzKnFz6tHVdhISjC/nbcOWroiBQ8xFh3
         mzf0+3bDqHhSlqkfCwCyJAMd4ykrgfD7wF71SNLddmSh+D5jmya0Bg8Am9/dnXXghOJ1
         Wnguvn69wUGtzdcyFaoC0WL3bdLUGCkBzPH3PsAzSSGMaeJEM2U2own28jSi/21pux+3
         jiew==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=FcqG69kP;
       spf=pass (google.com: domain of linux-wireless+bounces-305-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-wireless+bounces-305-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-wireless+bounces-305-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id fc18-20020ad44f32000000b0067a98576560si1776862qvb.451.2023.12.01.10.45.09
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 01 Dec 2023 10:45:09 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless+bounces-305-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=FcqG69kP;
       spf=pass (google.com: domain of linux-wireless+bounces-305-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-wireless+bounces-305-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id A7EB21C20CBB
	for <linux.lists.archive@gmail.com>; Fri,  1 Dec 2023 18:45:08 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id E62E84BA8F;
	Fri,  1 Dec 2023 18:45:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="FcqG69kP"
X-Original-To: linux-wireless@vger.kernel.org
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BEED554BD0;
	Fri,  1 Dec 2023 18:45:07 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id CAF83C433C7;
	Fri,  1 Dec 2023 18:45:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1701456307;
	bh=6ayoBSJy6iihyBHwxLrx8Luk1kVUOImElJUsiwGZ0Z0=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=FcqG69kPysYDU470FPhnMo9aFkTzh5UFfSP+GB7jG1Kq2MgYkKkO9/7xS41/QItmY
	 GKebXgxqnFcpvOyfbJxBjKyr9N5A9UjF5UCcyDgiSAxUIUp9IvwZ+ix+on+62kKSLA
	 F7mloqInbrkRAX4DPZUL3VG/kZayO0kR6UoLgpzcdpDbW+qF62RXqVpn+LTW8v/oW8
	 vpsqubTRa1P6t/SiRDNShl1ShpFTrhT8bF9vrbcOzAIqFCFq6tgs9GLLlbvPi9r6QQ
	 niQ7PdyMU5YSJWJzwrDgR+MFlC8rvJC0pglI1Zk9VSYE7cGdU6bIzoMCDY/dLyS5qS
	 1v1SjukglLfEg==
Date: Fri, 1 Dec 2023 10:45:05 -0800
From: Jakub Kicinski <kuba@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: kernel test robot <lkp@intel.com>, "David S. Miller"
 <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Paolo Abeni
 <pabeni@redhat.com>, Johannes Berg <johannes@sipsolutions.net>, Jeff
 Johnson <quic_jjohnson@quicinc.com>, Michael Walle <mwalle@kernel.org>, Max
 Schulze <max.schulze@online.de>, netdev@vger.kernel.org,
 linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
 linux-hardening@vger.kernel.org
Subject: Re: [PATCH] netlink: Return unsigned value for nla_len()
Message-ID: <20231201104505.44ec5c89@kernel.org>
In-Reply-To: <202312010953.BEDC06111@keescook>
References: <20231130200058.work.520-kees@kernel.org>
	<20231130172520.5a56ae50@kernel.org>
	<202312010953.BEDC06111@keescook>
Precedence: bulk
X-Mailing-List: linux-wireless@vger.kernel.org
List-Id: <linux-wireless.vger.kernel.org>
List-Subscribe: <mailto:linux-wireless+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-wireless+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Fri, 1 Dec 2023 10:17:02 -0800 Kees Cook wrote:
> > > -static inline int nla_len(const struct nlattr *nla)
> > > +static inline u16 nla_len(const struct nlattr *nla)
> > >  {
> > > -	return nla->nla_len - NLA_HDRLEN;
> > > +	return nla->nla_len > NLA_HDRLEN ? nla->nla_len - NLA_HDRLEN : 0;
> > >  } =20
> >=20
> > Note the the NLA_HDRLEN is the length of struct nlattr.
> > I mean of the @nla object that gets passed in as argument here.
> > So accepting that nla->nla_len may be < NLA_HDRLEN means
> > that we are okay with dereferencing a truncated object...
> >=20
> > We can consider making the return unsinged without the condition maybe?=
 =20
>=20
> Yes, if we did it without the check, it'd do "less" damage on
> wrap-around. (i.e. off by U16_MAX instead off by INT_MAX).
>=20
> But I'd like to understand: what's the harm in adding the clamp? The
> changes to the assembly are tiny:
> https://godbolt.org/z/Ecvbzn1a1

Hm, I wonder if my explanation was unclear or you disagree..

This is the structure:

struct nlattr {
	__u16           nla_len; // attr len, incl. this header
	__u16           nla_type;
};

and (removing no-op wrappers):

#define NLA_HDRLEN	sizeof(struct nlattr)

So going back to the code:

	return nla->nla_len > NLA_HDRLEN ? nla->nla_len - NLA_HDRLEN...

We are reading nla->nla_len, which is the first 2 bytes of the structure.
And then we check if the structure is... there?

If we don't trust that struct nlattr which gets passed here is at least
NLA_HDRLEN (4B) then why do we think it's safe to read nla_len (the
first 2B of it)?

That's why I was pointing at nla_ok(). nla_ok() takes the size of the
buffer / message as an arg, so that it can also check if looking at
nla_len itself is not going to be an OOB access. 99% of netlink buffers
we parse come from user space. So it's not like someone could have
mis-initialized the nla_len in the kernel and being graceful is helpful.

The extra conditional is just a minor thing. The major thing is that
unless I'm missing something the check makes me go =F0=9F=A4=A8=EF=B8=8F