[OpenWrt-Devel,v4,2/3] Replace use of blobmsg_check_attr by blobmsg_check_attr_safe

Message ID 20181128123931.28840-3-tobleminer@gmail.com
State New
Delegated to: Felix Fietkau
Headers show
Series
  • libubox: Enhance robustness of blobmsg parsing
Related show

Commit Message

Tobias Schramm Nov. 28, 2018, 12:39 p.m.
blobmsg_check_attr_safe adds a length limit specifying the max offset from attr that
can be read safely

Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
---
 blobmsg.c | 24 ++++++++++++++++++------
 blobmsg.h | 24 +++++++++++++++++++++++-
 2 files changed, 41 insertions(+), 7 deletions(-)

Patch

diff --git a/blobmsg.c b/blobmsg.c
index 8019c45..10f3801 100644
--- a/blobmsg.c
+++ b/blobmsg.c
@@ -31,19 +31,29 @@  blobmsg_namelen(const struct blobmsg_hdr *hdr)
 	return be16_to_cpu(hdr->namelen);
 }
 
-bool blobmsg_check_attr(const struct blob_attr *attr, bool name)
+bool blobmsg_check_attr_safe(const struct blob_attr *attr, bool name, size_t len)
 {
 	const struct blobmsg_hdr *hdr;
 	const char *data;
-	int id, len;
+	char *limit = (char*)attr + len;
+	int id, data_len;
+
+	if (len < sizeof(struct blob_attr))
+		return false;
 
 	if (blob_len(attr) < sizeof(struct blobmsg_hdr))
 		return false;
 
+	if (len < sizeof(struct blobmsg_hdr))
+		return false;
+
 	hdr = (void *) attr->data;
 	if (!hdr->namelen && name)
 		return false;
 
+	if ((char*)hdr->name + blobmsg_namelen(hdr) > limit)
+		return false;
+
 	if (blobmsg_namelen(hdr) > blob_len(attr) - sizeof(struct blobmsg_hdr))
 		return false;
 
@@ -51,8 +61,10 @@  bool blobmsg_check_attr(const struct blob_attr *attr, bool name)
 		return false;
 
 	id = blob_id(attr);
-	len = blobmsg_data_len(attr);
+	data_len = blobmsg_data_len(attr);
 	data = blobmsg_data(attr);
+	if (data_len < 0 || data + data_len > limit)
+		return false;
 
 	if (id > BLOBMSG_TYPE_LAST)
 		return false;
@@ -60,7 +72,7 @@  bool blobmsg_check_attr(const struct blob_attr *attr, bool name)
 	if (!blob_type[id])
 		return true;
 
-	return blob_check_type(data, len, blob_type[id]);
+	return blob_check_type(data, data_len, blob_type[id]);
 }
 
 int blobmsg_check_array(const struct blob_attr *attr, int type)
@@ -111,7 +123,7 @@  int blobmsg_parse_array(const struct blobmsg_policy *policy, int policy_len,
 		    blob_id(attr) != policy[i].type)
 			continue;
 
-		if (!blobmsg_check_attr(attr, false))
+		if (!blobmsg_check_attr_safe(attr, false, len))
 			return -1;
 
 		if (tb[i])
@@ -158,7 +170,7 @@  int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len,
 			if (blobmsg_namelen(hdr) != pslen[i])
 				continue;
 
-			if (!blobmsg_check_attr(attr, true))
+			if (!blobmsg_check_attr_safe(attr, true, len))
 				return -1;
 
 			if (tb[i])
diff --git a/blobmsg.h b/blobmsg.h
index c75f1d9..d17b896 100644
--- a/blobmsg.h
+++ b/blobmsg.h
@@ -104,7 +104,29 @@  static inline int blobmsg_len(const struct blob_attr *attr)
 	return blobmsg_data_len(attr);
 }
 
-bool blobmsg_check_attr(const struct blob_attr *attr, bool name);
+/*
+ * blobmsg_check_attr_safe: safely validate a single untrusted attribute
+ *
+ * This method is a safe implementation of blobmsg_check_attr.
+ * It will limit all memory access performed on the blob to the
+ * range [attr, attr + len] (upper bound non inclusive) and is
+ * thus suited for checking untrusted blob attributes.
+ */
+bool blobmsg_check_attr_safe(const struct blob_attr *attr, bool name, size_t len);
+
+/*
+ * blobmsg_check_attr: validate a single attribute
+ *
+ * This method may be used with trusted data only. Providing
+ * malformed blobs will cause out of bounds memory access and
+ * crash your program or get your device 0wned.
+ */
+static inline bool
+blobmsg_check_attr(const struct blob_attr *attr, bool name)
+{
+	return blobmsg_check_attr_safe(attr, name, blob_raw_len(attr));
+}
+
 bool blobmsg_check_attr_list(const struct blob_attr *attr, int type);
 
 /*