Message ID | 20210727205855.411487-63-keescook@chromium.org (mailing list archive) |
---|---|
State | Not Applicable |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | Introduce strict memcpy() bounds checking | expand |
Context | Check | Description |
---|---|---|
netdev/tree_selection | success | Guessing tree name failed - patch did not apply |
On Tue, Jul 27, 2021 at 01:58:53PM -0700, Kees Cook wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memcpy(), memmove(), and memset(), avoid > intentionally writing across neighboring fields. > > Add a flexible array member to mark the end of struct nlmsghdr, and > split the memcpy() to avoid false positive memcpy() warning: > > memcpy: detected field-spanning write (size 32) of single field (size 16) > > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > include/uapi/linux/netlink.h | 1 + > net/netlink/af_netlink.c | 4 +++- > 2 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h > index 4c0cde075c27..ddeaa748df5e 100644 > --- a/include/uapi/linux/netlink.h > +++ b/include/uapi/linux/netlink.h > @@ -47,6 +47,7 @@ struct nlmsghdr { > __u16 nlmsg_flags; /* Additional flags */ > __u32 nlmsg_seq; /* Sequence number */ > __u32 nlmsg_pid; /* Sending process port ID */ > + __u8 contents[]; Is this ok to change a public, userspace visable, structure? Nothing breaks? thanks, greg k-h
On 28/07/2021 07.49, Greg Kroah-Hartman wrote: > On Tue, Jul 27, 2021 at 01:58:53PM -0700, Kees Cook wrote: >> In preparation for FORTIFY_SOURCE performing compile-time and run-time >> field bounds checking for memcpy(), memmove(), and memset(), avoid >> intentionally writing across neighboring fields. >> >> Add a flexible array member to mark the end of struct nlmsghdr, and >> split the memcpy() to avoid false positive memcpy() warning: >> >> memcpy: detected field-spanning write (size 32) of single field (size 16) >> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> --- >> include/uapi/linux/netlink.h | 1 + >> net/netlink/af_netlink.c | 4 +++- >> 2 files changed, 4 insertions(+), 1 deletion(-) >> >> diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h >> index 4c0cde075c27..ddeaa748df5e 100644 >> --- a/include/uapi/linux/netlink.h >> +++ b/include/uapi/linux/netlink.h >> @@ -47,6 +47,7 @@ struct nlmsghdr { >> __u16 nlmsg_flags; /* Additional flags */ >> __u32 nlmsg_seq; /* Sequence number */ >> __u32 nlmsg_pid; /* Sending process port ID */ >> + __u8 contents[]; > > Is this ok to change a public, userspace visable, structure? At least it should keep using a nlmsg_ prefix for consistency and reduce risk of collision with somebody having defined an object-like contents macro. But there's no guarantees in any case, of course. Rasmus
On Wed, Jul 28, 2021 at 01:24:01PM +0200, Rasmus Villemoes wrote: > On 28/07/2021 07.49, Greg Kroah-Hartman wrote: > > On Tue, Jul 27, 2021 at 01:58:53PM -0700, Kees Cook wrote: > >> In preparation for FORTIFY_SOURCE performing compile-time and run-time > >> field bounds checking for memcpy(), memmove(), and memset(), avoid > >> intentionally writing across neighboring fields. > >> > >> Add a flexible array member to mark the end of struct nlmsghdr, and > >> split the memcpy() to avoid false positive memcpy() warning: > >> > >> memcpy: detected field-spanning write (size 32) of single field (size 16) > >> > >> Signed-off-by: Kees Cook <keescook@chromium.org> > >> --- > >> include/uapi/linux/netlink.h | 1 + > >> net/netlink/af_netlink.c | 4 +++- > >> 2 files changed, 4 insertions(+), 1 deletion(-) > >> > >> diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h > >> index 4c0cde075c27..ddeaa748df5e 100644 > >> --- a/include/uapi/linux/netlink.h > >> +++ b/include/uapi/linux/netlink.h > >> @@ -47,6 +47,7 @@ struct nlmsghdr { > >> __u16 nlmsg_flags; /* Additional flags */ > >> __u32 nlmsg_seq; /* Sequence number */ > >> __u32 nlmsg_pid; /* Sending process port ID */ > >> + __u8 contents[]; > > > > Is this ok to change a public, userspace visable, structure? > > At least it should keep using a nlmsg_ prefix for consistency and reduce > risk of collision with somebody having defined an object-like contents > macro. But there's no guarantees in any case, of course. Ah, good call. I've adjusted this and added a comment. Thanks! -Kees
On Wed, Jul 28, 2021 at 07:49:46AM +0200, Greg Kroah-Hartman wrote: > On Tue, Jul 27, 2021 at 01:58:53PM -0700, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memcpy(), memmove(), and memset(), avoid > > intentionally writing across neighboring fields. > > > > Add a flexible array member to mark the end of struct nlmsghdr, and > > split the memcpy() to avoid false positive memcpy() warning: > > > > memcpy: detected field-spanning write (size 32) of single field (size 16) > > > > Signed-off-by: Kees Cook <keescook@chromium.org> > > --- > > include/uapi/linux/netlink.h | 1 + > > net/netlink/af_netlink.c | 4 +++- > > 2 files changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h > > index 4c0cde075c27..ddeaa748df5e 100644 > > --- a/include/uapi/linux/netlink.h > > +++ b/include/uapi/linux/netlink.h > > @@ -47,6 +47,7 @@ struct nlmsghdr { > > __u16 nlmsg_flags; /* Additional flags */ > > __u32 nlmsg_seq; /* Sequence number */ > > __u32 nlmsg_pid; /* Sending process port ID */ > > + __u8 contents[]; > > Is this ok to change a public, userspace visable, structure? > > Nothing breaks? It really shouldn't break anything. Adding a flex array doesn't change the size. And with Rasmus's suggestion (naming it "nlmsg_content") it should be safe against weird global macro collisions, etc.
diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h index 4c0cde075c27..ddeaa748df5e 100644 --- a/include/uapi/linux/netlink.h +++ b/include/uapi/linux/netlink.h @@ -47,6 +47,7 @@ struct nlmsghdr { __u16 nlmsg_flags; /* Additional flags */ __u32 nlmsg_seq; /* Sequence number */ __u32 nlmsg_pid; /* Sending process port ID */ + __u8 contents[]; }; /* Flags values */ diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 24b7cf447bc5..f2dd99e96822 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -2447,7 +2447,9 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err, NLMSG_ERROR, payload, flags); errmsg = nlmsg_data(rep); errmsg->error = err; - memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) ? nlh->nlmsg_len : sizeof(*nlh)); + memcpy(&errmsg->msg, nlh, sizeof(*nlh)); + if (payload > sizeof(*errmsg)) + memcpy(errmsg->msg.contents, nlh->contents, nlh->nlmsg_len - sizeof(*nlh)); if (nlk_has_extack && extack) { if (extack->_msg) {
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Add a flexible array member to mark the end of struct nlmsghdr, and split the memcpy() to avoid false positive memcpy() warning: memcpy: detected field-spanning write (size 32) of single field (size 16) Signed-off-by: Kees Cook <keescook@chromium.org> --- include/uapi/linux/netlink.h | 1 + net/netlink/af_netlink.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-)