Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp3019313rdb; Mon, 4 Dec 2023 14:21:15 -0800 (PST) X-Google-Smtp-Source: AGHT+IHic85S1o3jOBCaoLaUoWiGRDm3mJBAoCC2zppBFAEKL3XGL5e4pE4cRrboTssMQ4hqujCl X-Received: by 2002:ae9:e648:0:b0:77d:a1d1:3903 with SMTP id x8-20020ae9e648000000b0077da1d13903mr308916qkl.66.1701728475586; Mon, 04 Dec 2023 14:21:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701728475; cv=none; d=google.com; s=arc-20160816; b=cnxQ1KrvKmrnm3rP0nl6k1qjgd/eCJ1wRFtHqr8OkkQAVCMoa19keD/v/UpuuS2C4h Hi/YqbYinHS1k6X+FI2dRu2uYf8UShNFhiyqqg7DnCUzD4Og2s4UbGXcGhAp2SlSCbrO A0JFrBO8jaUO7XJLLK6xfAGw87Eg+AAR1qvV2kwZYDQSbcrfeYmaMWREgLnY/oYjzv5P sYR2fGz5f28zjq8Oz+2xVFKQ4y+Shck2m9Ho71Pj6MZDw7jPD6WeOmvPEa92hGfkvJ9b kkZS2HkinVjJVScXu8FAASYFKgfOcwkzjiLFFAF6zdJghjitK2/tdFihbXWlchzhzug0 k6PQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=ehtQUXwRDZKnRhPirJrr51oPYToKsRQq0IW02tneMYk=; fh=OISQw3H7/oL4zaDIAHjZz5y4YWXbOzgTWv7k+N6BnkU=; b=KKaPej6jbeqWYsqYtfhCQColrj50hrROidVko2f0NmABf3m7YKkGtL8LP6rx69HMfB 5yaG7R5f5KN0rtomv9D2Z3zQG4G20jVsJlx33YGQpkSpZgt3a+PEcu/FNKzrZFuUkv9/ Rz6MVQiODi8h2CTTMM/ieKnqFdLcfZf7eawVuuOyh9VY72miSpIiLKby+ZYWR7Lgl2xc UEqkt/sx+OCRS2AKVCe3VcivAWITNTufyNxagf4pabSVCz4c8W+36v5oBKD6AKduBTat x2koC5aqSK6t4JDDgh+OlrJEeSxGDYuiOIrzsa8KJf28qpglndqYkPjmGeAOXH8WOotr wfgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=CHiBSIMt; spf=pass (google.com: domain of linux-wireless+bounces-407-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-wireless+bounces-407-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id u16-20020a05620a0c5000b007759ca1265csi10775300qki.263.2023.12.04.14.21.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Dec 2023 14:21:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless+bounces-407-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=CHiBSIMt; spf=pass (google.com: domain of linux-wireless+bounces-407-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-wireless+bounces-407-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 5A5921C20BD0 for ; Mon, 4 Dec 2023 22:21:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D7AED3BB20; Mon, 4 Dec 2023 22:21:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="CHiBSIMt" X-Original-To: linux-wireless@vger.kernel.org Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 13E3C19B5 for ; Mon, 4 Dec 2023 14:21:06 -0800 (PST) Received: by mail-pg1-x52f.google.com with SMTP id 41be03b00d2f7-5c659db0ce2so2088298a12.0 for ; Mon, 04 Dec 2023 14:21:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1701728465; x=1702333265; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=ehtQUXwRDZKnRhPirJrr51oPYToKsRQq0IW02tneMYk=; b=CHiBSIMt7cCtjE0xahD6goP/Gv2seDpXWIKksbEDlzNJeAQCuE1BBt6O85BOvlICpU vfrZeMw6uynrOsRr1LdVB7XQd7EjPP7hw0A+NGdDKOTqPjRjcibLluM/rfLl4iNoFcV5 r2rspn6wt0bzeTU1qwfxfnF8bWzbBo9lbzw3s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701728465; x=1702333265; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ehtQUXwRDZKnRhPirJrr51oPYToKsRQq0IW02tneMYk=; b=n+hBya+eazWgE2LoSnhWF78KewJcS9ng2yYR74J8KOAux7oMELOLkrrcnj5SbFY7G6 dEecqRSpjZK6smxC6WeXh0peDxLFC+/F19aXMo07xw2JWfSEHExAMwdWgKUjXDkYQu0w E5UTfZY4XxwVprg+TGapd9gzZmuIz/Nzi1cCjRkl4OivwKp1mkhhrZ6I+f8UMCaYbIqn /8Ag9O1P4Gh3w1nZzPQktDnIqUbZjB/LYPMvCSm12qJVxz5tB4cUTWypsi4myvZH0Kdz e4wqBbgVt/Kgi1re8v0exrj/BBWEzk7gUGldZcE7WaDFY45JSLphnntiCAcSCarF3I/G 0EhQ== X-Gm-Message-State: AOJu0Yy8PQfUo1qRoUgVq7Hvi92Nqa8BJJs1Obj5HJOiW+HfcWb7+sWp kdA7CkPk9/ccV3AZpCvS1KnoVQ== X-Received: by 2002:a17:902:f544:b0:1cf:c649:529c with SMTP id h4-20020a170902f54400b001cfc649529cmr6001552plf.18.1701728465486; Mon, 04 Dec 2023 14:21:05 -0800 (PST) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id m3-20020a170902c44300b001d084f4fad5sm3707362plm.2.2023.12.04.14.21.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Dec 2023 14:21:04 -0800 (PST) Date: Mon, 4 Dec 2023 14:21:04 -0800 From: Kees Cook To: Nicolas Dichtel Cc: Jakub Kicinski , kernel test robot , "David S. Miller" , Eric Dumazet , Paolo Abeni , Johannes Berg , Jeff Johnson , Michael Walle , Max Schulze , netdev@vger.kernel.org, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH v2] netlink: Return unsigned value for nla_len() Message-ID: <202312041420.886C9F3@keescook> References: <20231202202539.it.704-kees@kernel.org> <95924d9e-b373-40fd-993c-25b0bae55e61@6wind.com> Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <95924d9e-b373-40fd-993c-25b0bae55e61@6wind.com> On Mon, Dec 04, 2023 at 10:22:25AM +0100, Nicolas Dichtel wrote: > Le 02/12/2023 ? 21:25, Kees Cook a ?crit?: > > The return value from nla_len() is never expected to be negative, and can > > never be more than struct nlattr::nla_len (a u16). Adjust the prototype > > on the function. This will let GCC's value range optimization passes > > know that the return can never be negative, and can never be larger than > > u16. As recently discussed[1], this silences the following warning in > > GCC 12+: > > > > net/wireless/nl80211.c: In function 'nl80211_set_cqm_rssi.isra': > > net/wireless/nl80211.c:12892:17: warning: 'memcpy' specified bound 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Wstringop-overflow=] > > 12892 | memcpy(cqm_config->rssi_thresholds, thresholds, > > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > 12893 | flex_array_size(cqm_config, rssi_thresholds, > > | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > 12894 | n_thresholds)); > > | ~~~~~~~~~~~~~~ > > > > A future change would be to clamp the subtraction to make sure it never > > wraps around if nla_len is somehow less than NLA_HDRLEN, which would > > have the additional benefit of being defensive in the face of nlattr > > corruption or logic errors. > > > > Reported-by: kernel test robot > > Closes: https://lore.kernel.org/oe-kbuild-all/202311090752.hWcJWAHL-lkp@intel.com/ [1] > > Cc: Jakub Kicinski > > Cc: "David S. Miller" > > Cc: Eric Dumazet > > Cc: Paolo Abeni > > Cc: Johannes Berg > > Cc: Jeff Johnson > > Cc: Michael Walle > > Cc: Max Schulze > > Cc: netdev@vger.kernel.org > > Cc: linux-wireless@vger.kernel.org > > Signed-off-by: Kees Cook > > --- > > v2: > > - do not clamp return value (kuba) > > - adjust NLA_HDRLEN to be u16 also > > v1: https://lore.kernel.org/all/20231130200058.work.520-kees@kernel.org/ > > --- > > include/net/netlink.h | 2 +- > > include/uapi/linux/netlink.h | 2 +- > > 2 files changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/include/net/netlink.h b/include/net/netlink.h > > index 83bdf787aeee..7678a596a86b 100644 > > --- a/include/net/netlink.h > > +++ b/include/net/netlink.h > > @@ -1200,7 +1200,7 @@ static inline void *nla_data(const struct nlattr *nla) > > * nla_len - length of payload > > * @nla: netlink attribute > > */ > > -static inline int nla_len(const struct nlattr *nla) > > +static inline u16 nla_len(const struct nlattr *nla) > > { > > return nla->nla_len - NLA_HDRLEN; > > } > > diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h > > index f87aaf28a649..270feed9fd63 100644 > > --- a/include/uapi/linux/netlink.h > > +++ b/include/uapi/linux/netlink.h > > @@ -247,7 +247,7 @@ struct nlattr { > > > > #define NLA_ALIGNTO 4 > > #define NLA_ALIGN(len) (((len) + NLA_ALIGNTO - 1) & ~(NLA_ALIGNTO - 1)) > > -#define NLA_HDRLEN ((int) NLA_ALIGN(sizeof(struct nlattr))) > > +#define NLA_HDRLEN ((__u16) NLA_ALIGN(sizeof(struct nlattr))) > I wonder if this may break the compilation of some userspace tools with errors > like comparing signed and unsigned values. Should I drop this part, then? -- Kees Cook