[net,v2] netlink: Add string check in netlink_ack_tlv_fill

Commit Message

Manas via B4 Relay Nov. 14, 2024, 12:45 a.m. UTC

From: Manas <manas18244@iiitd.ac.in>

netlink_ack_tlv_fill crashes when in_skb->data is an empty string. This
adds a check to prevent it.

Reported-by: syzbot+d4373fa8042c06cefa84@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d4373fa8042c06cefa84
Fixes: 652332e3f1d6 ("netlink: move extack writing helpers")
Signed-off-by: Manas <manas18244@iiitd.ac.in>
---
Changes in v2:
- Add target tree and prefix in commit message
- Add Fixes tag
- Remove duplicate commit message from cover letter
- Link to v1: https://lore.kernel.org/r/20241114-fix-netlink_ack_tlv_fill-v1-1-47798af4ac96@iiitd.ac.in
---
 net/netlink/af_netlink.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


---
base-commit: 2d5404caa8c7bb5c4e0435f94b28834ae5456623
change-id: 20241114-fix-netlink_ack_tlv_fill-14db336fd515

Best regards,

Comments

Jakub Kicinski Nov. 14, 2024, 2:25 a.m. UTC | #1

On Thu, 14 Nov 2024 06:15:15 +0530 Manas via B4 Relay wrote:
> -	if (extack->bad_attr &&
> +	if (extack->bad_attr && strlen(in_skb->data) &&
>  	    !WARN_ON((u8 *)extack->bad_attr < in_skb->data ||
>  		     (u8 *)extack->bad_attr >= in_skb->data + in_skb->len))

that's most definitely not the right fix.
in_skb->data points to binary data.

my best idea so far is to rework this check to use nlh, because in_skb
will be pulled at this stage for dumps
if that makes sense to you please give it a go, otherwise I'll work on
the fix tomorrow

Manas Nov. 14, 2024, 8:07 a.m. UTC | #2

On 13.11.2024 18:25, Jakub Kicinski wrote:
>On Thu, 14 Nov 2024 06:15:15 +0530 Manas via B4 Relay wrote:
>> -	if (extack->bad_attr &&
>> +	if (extack->bad_attr && strlen(in_skb->data) &&
>>  	    !WARN_ON((u8 *)extack->bad_attr < in_skb->data ||
>>  		     (u8 *)extack->bad_attr >= in_skb->data + in_skb->len))
>
>that's most definitely not the right fix.
>in_skb->data points to binary data.
>
>my best idea so far is to rework this check to use nlh, because in_skb
>will be pulled at this stage for dumps
>if that makes sense to you please give it a go, otherwise I'll work on
>the fix tomorrow
Hi Jakub, thanks for reviewing this.

I'll work on this.

Patch

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 0a9287fadb47a2afaf0babe675738bc43051c5a7..ea205a4f81e9755a229d46a7e617ce0c090fe5e3 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2205,7 +2205,7 @@  netlink_ack_tlv_fill(struct sk_buff *in_skb, struct sk_buff *skb,
 	if (!err)
 		return;
 
-	if (extack->bad_attr &&
+	if (extack->bad_attr && strlen(in_skb->data) &&
 	    !WARN_ON((u8 *)extack->bad_attr < in_skb->data ||
 		     (u8 *)extack->bad_attr >= in_skb->data + in_skb->len))
 		WARN_ON(nla_put_u32(skb, NLMSGERR_ATTR_OFFS,