From patchwork Wed Nov 28 12:39:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tobias Schramm X-Patchwork-Id: 1004525 X-Patchwork-Delegate: ynezz@true.cz Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="GfNg5Dje"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="o6TM3ItB"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 434gGF4Yllz9s2P for ; Wed, 28 Nov 2018 23:39:49 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:References: In-Reply-To:Message-Id:Date:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=kQvbgqGvuaRxsf9KerJZfFpmD6gkf7mv4HVsc94yMtg=; b=GfNg5DjeZQwsY3 4RbyaH0OjdorOT7FDfpe4V2h/dBx9KDiR74NnzF8CXZyztt5GqdgBJwXTelD5hoJocTOITqPMlft5 DaiFnezTc/GbCHVInWfMUF27XymST37xQ4XTM6sm06rJ1TXYFS8iusDc4ZZEGKfT4ajcAeO+rcNYx pgHnKdssaiyx7VKw8mHwxtaFrlcmQ00JDlFlpxCJOkJ6KaZpOKsZ5rdFQndAGnrewjlsSLkB0Lno0 FW8RK/tBUJrBTZROzNNW+ILZQlkH0RDkmdN09BHNBJu/3euIG1rpneMHh8sjg7UDRvw9+/RmQjnWp Yyt6J0wM+2pECSCEKQKQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1gRz82-0005Yv-86; Wed, 28 Nov 2018 12:39:42 +0000 Received: from mail-wr1-x441.google.com ([2a00:1450:4864:20::441]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gRz7b-000590-Ry for openwrt-devel@lists.openwrt.org; Wed, 28 Nov 2018 12:39:18 +0000 Received: by mail-wr1-x441.google.com with SMTP id p4so26149291wrt.7 for ; Wed, 28 Nov 2018 04:39:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=BjOtFQ5Ur5Bax9a6apNrEFtSMUri70Mcvf1sT7LGCbc=; b=o6TM3ItBKJDGwXOvCgfFiwRUiTKTcoglXosfSYLaKnBqD3ilNnkK5FQWqV0iCom96y PdTELieHaPAGGEhDcidtrgeQn9kJGYyKBctQFwMCo0HW72DscG7Cw5trvX9gdjR96Flj bQP5qS9fiSlduVrV+DYM2j2NhwcQJ1pB+073pixx9wSsUwUr6szpLDpoHrdQ/EGZxyOR VlNTVNg/ETVGYvEVpb0iDJPHl/C6YEnp9SWDxnUk18WCCNTku7Vo9fvrm08/qBB/jqR6 DIRB24igibv0RXM2VeTK3GzduPHBT99o8n9J//U+BwA4wvlSu9+5wRAt6kbYLrjjDaBP OhHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BjOtFQ5Ur5Bax9a6apNrEFtSMUri70Mcvf1sT7LGCbc=; b=gduhnEuPBhM5Mbv8ODnfYzjvLsyvIPTv78AVFbbt58HsDQf1+ZTq0g1HJ1V3pUFD41 duNbN6XSsdvgIotqLEpWLy1QxvrpvIhZ+vm7R4/zKAArcoS6+cS9INHVHWadCYyTRfGs GswpBr48uhNt+Xc8isrHZ2Sdzx0qtXT2tn8UGKpP2nvXz2+PlBSVqD1sr7j0aJs8qihu nPsb9V05CIhEtc7CXM0sBNxc1kvEoZGm0SU9Pnf9az1IZZAkbl7l8yJL4nkn19ChzE3T k9etdTlzJaLwKXM+h9EOCcwjcUffLJq6aAsayLUKNSKPUi7pAcyKn22GdSQT8l1kKRPx KhYQ== X-Gm-Message-State: AA+aEWYQvxCBU4UUW4vCRzQyrwbENylGwNVSy7xG4/pY2ePDENxojY30 M5DrcN4FXSlKa9zcMbTQSYLPyMGU X-Google-Smtp-Source: AFSGD/U2ewk6/S6o7c092oCMQTHv+5tl/GYkwNa+KXChai3UXwPz3/KD2o7GMz4Dq5sXeJIJROv7Fw== X-Received: by 2002:adf:e846:: with SMTP id d6mr32111888wrn.72.1543408744606; Wed, 28 Nov 2018 04:39:04 -0800 (PST) Received: from sunsetshimmer.lan ([2a02:8106:19:4900:3ab5:b1b6:c8c2:b39f]) by smtp.gmail.com with ESMTPSA id b7sm5612177wrs.47.2018.11.28.04.39.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Nov 2018 04:39:04 -0800 (PST) From: Tobias Schramm To: openwrt-devel@lists.openwrt.org Date: Wed, 28 Nov 2018 13:39:30 +0100 Message-Id: <20181128123931.28840-3-tobleminer@gmail.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181128123931.28840-1-tobleminer@gmail.com> References: <20181128123931.28840-1-tobleminer@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20181128_043916_017953_794000AC X-CRM114-Status: GOOD ( 12.73 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:441 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (tobleminer[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Subject: [OpenWrt-Devel] [PATCH v4 2/3] Replace use of blobmsg_check_attr by blobmsg_check_attr_safe X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Tobias Schramm , nbd@nbd.name Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org blobmsg_check_attr_safe adds a length limit specifying the max offset from attr that can be read safely Signed-off-by: Tobias Schramm --- blobmsg.c | 24 ++++++++++++++++++------ blobmsg.h | 24 +++++++++++++++++++++++- 2 files changed, 41 insertions(+), 7 deletions(-) diff --git a/blobmsg.c b/blobmsg.c index 8019c45..10f3801 100644 --- a/blobmsg.c +++ b/blobmsg.c @@ -31,19 +31,29 @@ blobmsg_namelen(const struct blobmsg_hdr *hdr) return be16_to_cpu(hdr->namelen); } -bool blobmsg_check_attr(const struct blob_attr *attr, bool name) +bool blobmsg_check_attr_safe(const struct blob_attr *attr, bool name, size_t len) { const struct blobmsg_hdr *hdr; const char *data; - int id, len; + char *limit = (char*)attr + len; + int id, data_len; + + if (len < sizeof(struct blob_attr)) + return false; if (blob_len(attr) < sizeof(struct blobmsg_hdr)) return false; + if (len < sizeof(struct blobmsg_hdr)) + return false; + hdr = (void *) attr->data; if (!hdr->namelen && name) return false; + if ((char*)hdr->name + blobmsg_namelen(hdr) > limit) + return false; + if (blobmsg_namelen(hdr) > blob_len(attr) - sizeof(struct blobmsg_hdr)) return false; @@ -51,8 +61,10 @@ bool blobmsg_check_attr(const struct blob_attr *attr, bool name) return false; id = blob_id(attr); - len = blobmsg_data_len(attr); + data_len = blobmsg_data_len(attr); data = blobmsg_data(attr); + if (data_len < 0 || data + data_len > limit) + return false; if (id > BLOBMSG_TYPE_LAST) return false; @@ -60,7 +72,7 @@ bool blobmsg_check_attr(const struct blob_attr *attr, bool name) if (!blob_type[id]) return true; - return blob_check_type(data, len, blob_type[id]); + return blob_check_type(data, data_len, blob_type[id]); } int blobmsg_check_array(const struct blob_attr *attr, int type) @@ -111,7 +123,7 @@ int blobmsg_parse_array(const struct blobmsg_policy *policy, int policy_len, blob_id(attr) != policy[i].type) continue; - if (!blobmsg_check_attr(attr, false)) + if (!blobmsg_check_attr_safe(attr, false, len)) return -1; if (tb[i]) @@ -158,7 +170,7 @@ int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len, if (blobmsg_namelen(hdr) != pslen[i]) continue; - if (!blobmsg_check_attr(attr, true)) + if (!blobmsg_check_attr_safe(attr, true, len)) return -1; if (tb[i]) diff --git a/blobmsg.h b/blobmsg.h index c75f1d9..d17b896 100644 --- a/blobmsg.h +++ b/blobmsg.h @@ -104,7 +104,29 @@ static inline int blobmsg_len(const struct blob_attr *attr) return blobmsg_data_len(attr); } -bool blobmsg_check_attr(const struct blob_attr *attr, bool name); +/* + * blobmsg_check_attr_safe: safely validate a single untrusted attribute + * + * This method is a safe implementation of blobmsg_check_attr. + * It will limit all memory access performed on the blob to the + * range [attr, attr + len] (upper bound non inclusive) and is + * thus suited for checking untrusted blob attributes. + */ +bool blobmsg_check_attr_safe(const struct blob_attr *attr, bool name, size_t len); + +/* + * blobmsg_check_attr: validate a single attribute + * + * This method may be used with trusted data only. Providing + * malformed blobs will cause out of bounds memory access and + * crash your program or get your device 0wned. + */ +static inline bool +blobmsg_check_attr(const struct blob_attr *attr, bool name) +{ + return blobmsg_check_attr_safe(attr, name, blob_raw_len(attr)); +} + bool blobmsg_check_attr_list(const struct blob_attr *attr, int type); /*