| Message ID | 20231206205904.make.018-kees@kernel.org (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 172db56d90d29e47e7d0d64885d5dbd92c87ec42 |
| Headers | show |
| Series | [v3] netlink: Return unsigned value for nla_len() | expand |
Hello: This patch was applied to netdev/net-next.git (main) by Jakub Kicinski <kuba@kernel.org>: On Wed, 6 Dec 2023 12:59:07 -0800 you wrote: > The return value from nla_len() is never expected to be negative, and can > never be more than struct nlattr::nla_len (a u16). Adjust the prototype > on the function. This will let GCC's value range optimization passes > know that the return can never be negative, and can never be larger than > u16. As recently discussed[1], this silences the following warning in > GCC 12+: > > [...] Here is the summary with links: - [v3] netlink: Return unsigned value for nla_len() https://git.kernel.org/netdev/net-next/c/172db56d90d2 You are awesome, thank you!
From: Kees Cook > Sent: 06 December 2023 20:59 > > The return value from nla_len() is never expected to be negative, and can > never be more than struct nlattr::nla_len (a u16). Adjust the prototype > on the function. This will let GCC's value range optimization passes > know that the return can never be negative, and can never be larger than > u16. As recently discussed[1], this silences the following warning in > GCC 12+: > ... > -static inline int nla_len(const struct nlattr *nla) > +static inline u16 nla_len(const struct nlattr *nla) > { > return nla->nla_len - NLA_HDRLEN; > } It also adds an explicit mask with 0xffff. I suspect that returning 'unsigned int' will silence the warning from gcc (since the error message has a huge max size). If the value is too small copying ~64k or ~4G will both overflow the buffer. The former might (just) be exploitable, the latter will crash (so is probably better!) David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
diff --git a/include/net/netlink.h b/include/net/netlink.h index 83bdf787aeee..7678a596a86b 100644 --- a/include/net/netlink.h +++ b/include/net/netlink.h @@ -1200,7 +1200,7 @@ static inline void *nla_data(const struct nlattr *nla) * nla_len - length of payload * @nla: netlink attribute */ -static inline int nla_len(const struct nlattr *nla) +static inline u16 nla_len(const struct nlattr *nla) { return nla->nla_len - NLA_HDRLEN; }
The return value from nla_len() is never expected to be negative, and can never be more than struct nlattr::nla_len (a u16). Adjust the prototype on the function. This will let GCC's value range optimization passes know that the return can never be negative, and can never be larger than u16. As recently discussed[1], this silences the following warning in GCC 12+: net/wireless/nl80211.c: In function 'nl80211_set_cqm_rssi.isra': net/wireless/nl80211.c:12892:17: warning: 'memcpy' specified bound 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Wstringop-overflow=] 12892 | memcpy(cqm_config->rssi_thresholds, thresholds, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 12893 | flex_array_size(cqm_config, rssi_thresholds, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 12894 | n_thresholds)); | ~~~~~~~~~~~~~~ A future change would be to clamp the subtraction to make sure it never wraps around if nla_len is somehow less than NLA_HDRLEN, which would have the additional benefit of being defensive in the face of nlattr corruption or logic errors. Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202311090752.hWcJWAHL-lkp@intel.com/ [1] Cc: Jakub Kicinski <kuba@kernel.org> Cc: David S. Miller <davem@davemloft.net> Cc: Eric Dumazet <edumazet@google.com> Cc: Paolo Abeni <pabeni@redhat.com> Cc: Johannes Berg <johannes@sipsolutions.net> Cc: Jeff Johnson <quic_jjohnson@quicinc.com> Cc: Michael Walle <mwalle@kernel.org> Cc: Max Schulze <max.schulze@online.de> Cc: netdev@vger.kernel.org Cc: linux-wireless@vger.kernel.org Link: https://lore.kernel.org/r/20231202202539.it.704-kees@kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> --- v3: do not cast NLA_HDRLEN to u16 (nicolas.dichtel) v2: https://lore.kernel.org/all/20231202202539.it.704-kees@kernel.org/ v1: https://lore.kernel.org/all/20231130200058.work.520-kees@kernel.org/ --- include/net/netlink.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)