From nobody Sat Jan 21 18:06:30 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nzknz23M8z2spp7; Sat, 21 Jan 2023 18:06:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Nzknz1XgJz4T0r; Sat, 21 Jan 2023 18:06:31 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674324391; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=j+mj1vOuOlzXtxBT4ELtG/LK4MtY1OMhvbDXOUeRFyU=; b=j9v0LcwiR3FEwuWjsHtRshIYsj9XF0LFX+tjdxFEmG3q7uifapCFuePopPMD100thTCjL4 QmbaiPoUsgVa7iB7uTwFs5+HWUGWfJtlDF6tPMOGRNjR6y82032z2CJdRyrlyQtFJylnSB z8D06kpKde+F9k9reJcOCCXTN/jDDtmLgRz1JfBuT948mFme34kLHCHKtDRFAUqEYnhkSR nX1G9Ln7u6NHj+NG1yMy+EfkDLA+JXCgiGv3+8sPcaQtTszKOIT3W3KvJ8UIUYoJ/QmC/b Ab3QJVI+3O8mYMgUkL2+Fw13nOiSVaMtDoRLAV3T2hpLEsxUAvDIj83I12SjCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674324391; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=j+mj1vOuOlzXtxBT4ELtG/LK4MtY1OMhvbDXOUeRFyU=; b=ETnw5uyqNapITc+B3bhdZupk9n2Bv8atLpY+Nq1DyXfWoYMT7YRe2m43KUWcx89pKGqhSD XOyX0d9CiSu16FecD1AgEmySOGRPCCdJ0yy7sDjsNC4FSStVbEMa0VMizdOLNAIpCFPoqZ HDA5R+iHSk37DC+SPC0ZxIGVk0GkvVeYWXwTjMwQ/N8dAorgFRe1UQ45RMWD5lY8n7XtZz GLSgXdGK363anmufPh8xQDIemd48TN6n+zulO8fPZE5E+n8wABiij9OwoJyW6G3BVdwA4r /WVWjtC2tT1Nm+NYalmP12vScASpEbvg17U8lKq0LVrLFmNQCHup/WOm6Q4wRA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674324391; a=rsa-sha256; cv=none; b=G9vHfyFicLCyzxtRUHb541HZ5DJqYuYlmyGnYNoGVcJg1c/S7yh5cUOPKw0zwLdO3b1q0A iThm3r1Rq26nc3noGPDBoVeL+PxCA8CWJ803fk6Veb7PobiOrEjeDFV0VauwoPNlg6TCEf dZ7iazZ7VWRKgIwpVM4DNppzCP086w9/oPDFrEOG/AiigaqJC8vQJnWOtIjA/hPt73efGN GV2mDXVakvpvQ+sdeBLiup/VoKF8rGoiscBChzZAZzXhg3K/JWu5YHDF1QDaS9jd65UUpQ 6CXnDNae+tqZjTBxOFdxwm3WyKUUMrahxRNnqKUvXj+gYkueTZKpavgncmYC9A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Nzknz0bh8zKFP; Sat, 21 Jan 2023 18:06:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 30LI6Uhc053722; Sat, 21 Jan 2023 18:06:30 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 30LI6UYY053721; Sat, 21 Jan 2023 18:06:30 GMT (envelope-from git) Date: Sat, 21 Jan 2023 18:06:30 GMT Message-Id: <202301211806.30LI6UYY053721@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: "Alexander V. Chernikov" Subject: git: 10f2a38769c7 - main - netlink: fix OOB write when creating attribute bitmask. List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: melifaro X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 10f2a38769c7b2fa210a3ea077d3185448479013 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by melifaro: URL: https://cgit.FreeBSD.org/src/commit/?id=10f2a38769c7b2fa210a3ea077d3185448479013 commit 10f2a38769c7b2fa210a3ea077d3185448479013 Author: Alexander V. Chernikov AuthorDate: 2023-01-21 18:03:47 +0000 Commit: Alexander V. Chernikov CommitDate: 2023-01-21 18:03:47 +0000 netlink: fix OOB write when creating attribute bitmask. Fix wrong arithmetics by moving to the standard bitset(9) functions. Reported by: markj, KASAN --- sys/netlink/netlink_message_parser.c | 16 +++++++++++++--- sys/netlink/netlink_message_parser.h | 16 ++++++---------- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/sys/netlink/netlink_message_parser.c b/sys/netlink/netlink_message_parser.c index 451d9d497491..dc0c38712613 100644 --- a/sys/netlink/netlink_message_parser.c +++ b/sys/netlink/netlink_message_parser.c @@ -152,17 +152,27 @@ nl_get_attrs_bmask_raw(struct nlattr *nla_head, int len, struct nlattr_bmask *bm { struct nlattr *nla = NULL; - bzero(bm->mask, sizeof(bm->mask)); + BIT_ZERO(NL_ATTR_BMASK_SIZE, bm); NLA_FOREACH(nla, nla_head, len) { if (nla->nla_len < sizeof(struct nlattr)) return; int nla_type = nla->nla_type & NLA_TYPE_MASK; - if (nla_type <= sizeof(bm->mask) * 8) - bm->mask[nla_type / 8] |= 1 << (nla_type % 8); + if (nla_type < NL_ATTR_BMASK_SIZE) + BIT_SET(NL_ATTR_BMASK_SIZE, nla_type, bm); + else + NL_LOG(LOG_DEBUG2, "Skipping type %d in the mask: too short", + nla_type); } } +bool +nl_has_attr(const struct nlattr_bmask *bm, unsigned int nla_type) +{ + MPASS(nla_type < NL_ATTR_BMASK_SIZE); + + return (BIT_ISSET(NL_ATTR_BMASK_SIZE, nla_type, bm)); +} int nlattr_get_flag(struct nlattr *nla, struct nl_pstate *npt, const void *arg, void *target) diff --git a/sys/netlink/netlink_message_parser.h b/sys/netlink/netlink_message_parser.h index 3f64c1967f09..94f0ca5260d7 100644 --- a/sys/netlink/netlink_message_parser.h +++ b/sys/netlink/netlink_message_parser.h @@ -29,6 +29,9 @@ #define _NETLINK_NETLINK_MESSAGE_PARSER_H_ #ifdef _KERNEL + +#include + /* * It is not meant to be included directly */ @@ -152,18 +155,11 @@ static const struct nlhdr_parser _name = { \ .np_size = NL_ARRAY_LEN(_np), \ } -struct nlattr_bmask { - uint64_t mask[2]; -}; - -static inline bool -nl_has_attr(const struct nlattr_bmask *bm, unsigned int attr_type) -{ - MPASS(attr_type < sizeof(bm->mask) * 8); +#define NL_ATTR_BMASK_SIZE 128 +BITSET_DEFINE(nlattr_bmask, NL_ATTR_BMASK_SIZE); - return ((bm->mask[attr_type / 8] & (1 << (attr_type % 8)))); -} void nl_get_attrs_bmask_raw(struct nlattr *nla_head, int len, struct nlattr_bmask *bm); +bool nl_has_attr(const struct nlattr_bmask *bm, unsigned int nla_type); int nl_parse_attrs_raw(struct nlattr *nla_head, int len, const struct nlattr_parser *ps, int pslen, struct nl_pstate *npt, void *target);