| Message ID | 20230323193032.28483-1-mkoutny@suse.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp3099641wrt;
Thu, 23 Mar 2023 12:43:20 -0700 (PDT)
X-Google-Smtp-Source:
AKy350bc8VILZO+rNjhWGgSxhKjfd2V+fzL9WQz3hMbRi8pUPZxDgbirX8p0ZvU+KlnBRoejtkgQ
X-Received: by 2002:aa7:d3d4:0:b0:4fd:215e:b691 with SMTP id
o20-20020aa7d3d4000000b004fd215eb691mr633056edr.4.1679600600114;
Thu, 23 Mar 2023 12:43:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1679600600; cv=none;
d=google.com; s=arc-20160816;
b=EldoYDCjjeg6kciQ6WAhice7st9UoQWmzZWCphaautS11HWSJYM7DlEjtSteHvmMhL
1tFZt1s3r2RFTNmyFyhIVZkj1ZAx6yiiSJudZgTq4/+RF+CBYL/UAyCQp4G19512gR1V
PQ+Xn9d6xhJJ5frd2P+hEKjA5BMLz6+tn2c233HnK2QR34WANxUsxwuF5DQcOgO9tWvQ
z/WfpaHr709EVkfY4TzysbA2BDX0otDYYhnWemMA/y+/sRni7bQd1tKt4kYlkXowyi24
kno+7uvjjHbSI3rahiAollRzB4ZpDDXyluzMw3DjEJfPgEW6XeW1YWDE6QScf+ZBXK+m
IK/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=HUzZ+YdgqBsEPba1gZv82s6tRaXrtHgBuVCrMt0RUvs=;
b=wn27PPiVjaP3Gvi8NlNzBoBClEd9Mz58a0ppLHN4phJEnjftmAjkIi6lzjcGJD0Rfn
MssB4sRUQ5gHrM1OoiZl6HnjWvdI3anrf/YSY+NWm+lyDQs1dmAWrJoWaX1eKmQoXuqJ
FLnUVd1jffXFdneKTcKJb2jrBBBao/2tAsBx8e6iWYPn+0WWCg12khrMZHfjNYMHyYQE
upUWZOC4hcPanABgJozIXXWcJ702jaJ0M1P0cz+OceSAUupCecfxQdYozQ4q9RwNgApB
Xa9YiaF7dvOeSOG6pR768nH0CgbE7fuqzIpRUsDp+Wj7IRfya9iLz/ke0B9DET8h5mka
/xtw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@suse.com header.s=susede1 header.b=oPfWJo8B;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
q15-20020a1709060e4f00b009332d435456si16145224eji.610.2023.03.23.12.42.56;
Thu, 23 Mar 2023 12:43:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@suse.com header.s=susede1 header.b=oPfWJo8B;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231305AbjCWTai (ORCPT <rfc822;ezelljr.billy@gmail.com>
+ 99 others); Thu, 23 Mar 2023 15:30:38 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59790 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230157AbjCWTah (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 23 Mar 2023 15:30:37 -0400
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 48BE6B442;
Thu, 23 Mar 2023 12:30:36 -0700 (PDT)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
[192.168.254.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by smtp-out2.suse.de (Postfix) with ESMTPS id C6C3A1FE14;
Thu, 23 Mar 2023 19:30:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
t=1679599834;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=HUzZ+YdgqBsEPba1gZv82s6tRaXrtHgBuVCrMt0RUvs=;
b=oPfWJo8BQMP2bDXkj8yCk4RZz/8dJUjmcrxd1fPXcFXKcbhft+1tUJjWQ+FEZMBUAiKfla
Q5bZOvF+fxnz54/4kxRiPZIR7tWmwGD8hB+FslCHu4Zpn2sS1XGii+T8uToFWJ/KvtwllD
WAvIfEu6ozAdMQLADb8W9nosUsE7Xj4=
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
[192.168.254.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 956B1132C2;
Thu, 23 Mar 2023 19:30:34 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
by imap2.suse-dmz.suse.de with ESMTPSA
id 5TdRI9qoHGRwLAAAMHmgww
(envelope-from <mkoutny@suse.com>); Thu, 23 Mar 2023 19:30:34 +0000
From: =?utf-8?q?Michal_Koutn=C3=BD?= <mkoutny@suse.com>
To: Josef Bacik <josef@toxicpanda.com>
Cc: Jens Axboe <axboe@kernel.dk>, linux-block@vger.kernel.org,
nbd@other.debian.org, linux-kernel@vger.kernel.org,
Navid Emamdoost <navid.emamdoost@gmail.com>,
Michal Kubecek <mkubecek@suse.cz>
Subject: [PATCH RESEND v3] nbd_genl_status: null check for nla_nest_start
Date: Thu, 23 Mar 2023 20:30:32 +0100
Message-Id: <20230323193032.28483-1-mkoutny@suse.com>
X-Mailer: git-send-email 2.40.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS
autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1761188878979162521?=
X-GMAIL-MSGID: =?utf-8?q?1761188878979162521?=
|
| Series |
[RESEND,v3] nbd_genl_status: null check for nla_nest_start
|
|
Commit Message
Michal Koutný
March 23, 2023, 7:30 p.m. UTC
From: Navid Emamdoost <navid.emamdoost@gmail.com> nla_nest_start may fail and return NULL. The check is inserted, and errno is selected based on other call sites within the same source code. Update: removed extra new line. v3 Update: added release reply, thanks to Michal Kubecek for pointing out. Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> Reviewed-by: Michal Kubecek <mkubecek@suse.cz> Link: https://lore.kernel.org/r/20190911164013.27364-1-navid.emamdoost@gmail.com/ --- I'm resending the patch because there was apparent consensus of its inclusion and it seems it was only overlooked. Some people may care about this because of CVE-2019-16089. drivers/block/nbd.c | 6 ++++++ 1 file changed, 6 insertions(+)
Comments
On 3/23/23 1:30 PM, Michal Koutný wrote: > From: Navid Emamdoost <navid.emamdoost@gmail.com> > > nla_nest_start may fail and return NULL. The check is inserted, and > errno is selected based on other call sites within the same source code. > Update: removed extra new line. > v3 Update: added release reply, thanks to Michal Kubecek for pointing > out. Josef? Looks straight forward to me, though it's not clear (to me) how this can be triggered and hence how important it is. > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> > Reviewed-by: Michal Kubecek <mkubecek@suse.cz> > Link: https://lore.kernel.org/r/20190911164013.27364-1-navid.emamdoost@gmail.com/ > --- > > I'm resending the patch because there was apparent consensus of its > inclusion and it seems it was only overlooked. Some people may care > about this because of CVE-2019-16089. Anyone can file a CVE, and in fact they are often filed as some kind of silly trophy. Whether a CVE exists or not has ZERO bearing on whether a bug is worth fixing. So please don't mix CVEs into any of this, they don't matter one bit. Never have, and never will. What's important is how the bug can be triggered.
Thanks for the reply. On Thu, Mar 23, 2023 at 04:51:17PM -0600, Jens Axboe <axboe@kernel.dk> wrote: > So please don't mix CVEs into any of this, they don't matter one bit. Do not shoot the messenger. (But I'll refrain from that numeric reference to disincentivize such trophy collecting.) > Never have, and never will. What's important is how the bug can be > triggered. From my perspective it's pragmatic better-safe-than-sorry -- a proof may be conceived that rules out any triggering condition, it's less work to put the guard in though. My .02€, Michal
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 592cfa8b765a..109dccd9a515 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -2394,6 +2394,12 @@ static int nbd_genl_status(struct sk_buff *skb, struct genl_info *info) } dev_list = nla_nest_start_noflag(reply, NBD_ATTR_DEVICE_LIST); + if (!dev_list) { + nlmsg_free(reply); + ret = -EMSGSIZE; + goto out; + } + if (index == -1) { ret = idr_for_each(&nbd_index_idr, &status_cb, reply); if (ret) {