From nobody Mon Jan 23 22:12:25 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P148p1fgmz2t0x3;
	Mon, 23 Jan 2023 22:12:26 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4P148p0kbTz3Myb;
	Mon, 23 Jan 2023 22:12:26 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1674511946;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=eab5bwzbVTbbW4lRSMUXSxSspfIY6vJVxgfS2DbhjFc=;
	b=vfKy/MoHB7Zro3LH1HttvHYopFHzOHNCgZp+zil5r13pmgX7BXblLDKt7uLUeAl7R3cwqs
	nhi5EixQZCBGH6G4HCHEGPR2hpNQDxhs303CFxevmE1zDJtqEVIGFynYOhmmlFlYHZ3X35
	fNsa0g16+AHDhYwM4n36GF1/6ti7DnI9NaX2epo1hBS2/aeaLg52rt7rqS4DVQQ43pkAhw
	tP6i7vdxia9ugjryv0ENRO43Cib3lYHLfGpSzhCDQ6J8qZ69TrWgwTgUjWlqwq9Wwzhqfx
	il/DnRQvNTa/A51Mt7NmWacUpEH3idqH/1df1WYrLxtTh3P5sNpCRBdXhWs+7Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1674511946;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=eab5bwzbVTbbW4lRSMUXSxSspfIY6vJVxgfS2DbhjFc=;
	b=kkg7uDP9hJpQmaDLx7ns+z4QlnSMnP2mHxUDEYUmUKITix07o8FfXApQWPbhkeXU18kAps
	lfxpxjFGZ7tIC89hZRqsip6ockldQtuD31jQ1yZkHarqEGo4sbIHYUndqD5sF2fjBKf9tt
	XVYD3EqWYKSnaAYd09ZIWoENQ0uxK4h5eMMJwhPCSE/RFsltMwGeRt/SytcMCMbXfdxSJl
	Gm3sPUYS4e10RHJwMhqeoO1ptxt3dZ2ygFm2Lg/mD89gHSi3Hd3RTrjz/whJwa3G6++Is5
	VN44iCCFiaVrOjdU41KfLbog2OyPu35KG+yxKQW9pn/xhPxyrZumrc3rx12l7Q==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674511946; a=rsa-sha256; cv=none;
	b=kPMzQIFDAQvbQ0ljnCpMInTqA7kvLo27mua4biItC7BudoqzdiXnFwEE/zL5li+lD0Xsbf
	2ArXSHgWpgX2Wk7FXPAHZq1KP8MgsLX7kte3TeG4gTZ1/gL9Snub1OvNvJdS0aPCJeATsG
	kfsStIG99GdNGJGzG81/ol/63LUHQ1pDjAuxFNmKxxSwAMeZe1gjsTSTgK0ps+2/XVsrjp
	jJj0iuLc8aWY946LXhwFA+b2hp1bkDj9QltxafCAybwtU+ju0pO7WeDs6iBvLwu3m27OOF
	Q4weSDlMA7tjGdHzG+Gk5vxfVZeJjNnE3z8sJsm2Ovr6ILjbQY/mKMVbMjS68g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P148n6gFmzltr;
	Mon, 23 Jan 2023 22:12:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 30NMCPm5017441;
	Mon, 23 Jan 2023 22:12:25 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 30NMCPcY017440;
	Mon, 23 Jan 2023 22:12:25 GMT
	(envelope-from git)
Date: Mon, 23 Jan 2023 22:12:25 GMT
Message-Id: <202301232212.30NMCPcY017440@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: "Alexander V. Chernikov" <melifaro@FreeBSD.org>
Subject: git: b2e826efd6c4 - stable/13 - netlink: fix OOB write when creating attribute bitmask.
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: melifaro
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: b2e826efd6c4153f66af8aff3024f26d0f6cd63a
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by melifaro:

URL: https://cgit.FreeBSD.org/src/commit/?id=b2e826efd6c4153f66af8aff3024f26d0f6cd63a

commit b2e826efd6c4153f66af8aff3024f26d0f6cd63a
Author:     Alexander V. Chernikov <melifaro@FreeBSD.org>
AuthorDate: 2023-01-21 18:03:47 +0000
Commit:     Alexander V. Chernikov <melifaro@FreeBSD.org>
CommitDate: 2023-01-23 22:09:05 +0000

    netlink: fix OOB write when creating attribute bitmask.
    
    Fix wrong arithmetics by moving to the standard bitset(9) functions.
    
    Reported by:    markj, KASAN
    
    (cherry picked from commit 10f2a38769c7b2fa210a3ea077d3185448479013)
---
 sys/netlink/netlink_message_parser.c | 16 +++++++++++++---
 sys/netlink/netlink_message_parser.h | 16 ++++++----------
 2 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/sys/netlink/netlink_message_parser.c b/sys/netlink/netlink_message_parser.c
index 451d9d497491..dc0c38712613 100644
--- a/sys/netlink/netlink_message_parser.c
+++ b/sys/netlink/netlink_message_parser.c
@@ -152,17 +152,27 @@ nl_get_attrs_bmask_raw(struct nlattr *nla_head, int len, struct nlattr_bmask *bm
 {
 	struct nlattr *nla = NULL;
 
-	bzero(bm->mask, sizeof(bm->mask));
+	BIT_ZERO(NL_ATTR_BMASK_SIZE, bm);
 
 	NLA_FOREACH(nla, nla_head, len) {
 		if (nla->nla_len < sizeof(struct nlattr))
 			return;
 		int nla_type = nla->nla_type & NLA_TYPE_MASK;
-		if (nla_type <= sizeof(bm->mask) * 8)
-			bm->mask[nla_type / 8] |= 1 << (nla_type % 8);
+		if (nla_type < NL_ATTR_BMASK_SIZE)
+			BIT_SET(NL_ATTR_BMASK_SIZE, nla_type, bm);
+		else
+			NL_LOG(LOG_DEBUG2, "Skipping type %d in the mask: too short",
+			    nla_type);
 	}
 }
 
+bool
+nl_has_attr(const struct nlattr_bmask *bm, unsigned int nla_type)
+{
+	MPASS(nla_type < NL_ATTR_BMASK_SIZE);
+
+	return (BIT_ISSET(NL_ATTR_BMASK_SIZE, nla_type, bm));
+}
 
 int
 nlattr_get_flag(struct nlattr *nla, struct nl_pstate *npt, const void *arg, void *target)
diff --git a/sys/netlink/netlink_message_parser.h b/sys/netlink/netlink_message_parser.h
index 3f64c1967f09..94f0ca5260d7 100644
--- a/sys/netlink/netlink_message_parser.h
+++ b/sys/netlink/netlink_message_parser.h
@@ -29,6 +29,9 @@
 #define _NETLINK_NETLINK_MESSAGE_PARSER_H_
 
 #ifdef _KERNEL
+
+#include <sys/bitset.h>
+
 /*
  * It is not meant to be included directly
  */
@@ -152,18 +155,11 @@ static const struct nlhdr_parser _name = {		\
 	.np_size = NL_ARRAY_LEN(_np),			\
 }
 
-struct nlattr_bmask {
-	uint64_t			mask[2];
-};
-
-static inline bool
-nl_has_attr(const struct nlattr_bmask *bm, unsigned int attr_type)
-{
-	MPASS(attr_type < sizeof(bm->mask) * 8);
+#define	NL_ATTR_BMASK_SIZE	128
+BITSET_DEFINE(nlattr_bmask, NL_ATTR_BMASK_SIZE);
 
-	return ((bm->mask[attr_type / 8] & (1 << (attr_type % 8))));
-}
 void nl_get_attrs_bmask_raw(struct nlattr *nla_head, int len, struct nlattr_bmask *bm);
+bool nl_has_attr(const struct nlattr_bmask *bm, unsigned int nla_type);
 
 int nl_parse_attrs_raw(struct nlattr *nla_head, int len, const struct nlattr_parser *ps,
     int pslen, struct nl_pstate *npt, void *target);