netlink: Zero-initialize mbuf messages
ClosedPublic
Actions

Authored by markj on Jan 17 2023, 2:08 PM.

Details

Reviewers

Group Reviewers

Commits

rG5eaad7c9c593: netlink: Zero-initialize mbuf messages
rG13e997289240: netlink: Zero-initialize mbuf messages
rGd91be0f1211b: netlink: Zero-initialize mbuf messages

Summary

Some users of nlmsg_reserve_object() and nlmsg_reserve_data() are not
careful to fully initialize pad and reserved fields, allowing
uninitialized bytes to leak to userspace. For example, dump_nhgrp()
doesn't set nhm->resvd = 0.

Meanwhile, nlmsg_get_ns_buf() and nlmsg_get_ns_lbuf() zero-initialize
the buffer, so nlmsg_get_ns_mbuf() is inconsistent. Let's just make
them all behave the same here.

Reported by: KMSAN

Test Plan

netlink regression tests

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Jan 17 2023, 2:08 PM

Herald added subscribers: glebius, imp. · View Herald TranscriptJan 17 2023, 2:08 PM

markj requested review of this revision.Jan 17 2023, 2:08 PM

Harbormaster completed remote builds in B49143: Diff 115228.Jan 17 2023, 2:08 PM

markj added a child revision: D38099: netlink: Make the writers function table static and const.Jan 17 2023, 2:09 PM

markj edited the summary of this revision. (Show Details)Jan 17 2023, 2:09 PM

markj edited the test plan for this revision. (Show Details)

Thank you for working on that! It was on my list for quite some time. I was concerned a bit about performance & was thinking of measuring the different approaches. Anyway, let's make it safe first and work on improvements later.
Thank you again for addressing the security issue.

This revision is now accepted and ready to land.Jan 17 2023, 2:20 PM

In D38098#865466, @melifaro wrote:

Thank you for working on that! It was on my list for quite some time. I was concerned a bit about performance & was thinking of measuring the different approaches. Anyway, let's make it safe first and work on improvements later.

One other approach might be to instead make nlmsg_reserve_object() and nlmsg_reserve_data() zero the buffer area. I suspect the overhead of zeroing is pretty close to negligible in either case though?

Closed by commit rGd91be0f1211b: netlink: Zero-initialize mbuf messages (authored by markj). · Explain WhyJan 17 2023, 2:45 PM

This revision was automatically updated to reflect the committed changes.

markj added a commit: rGd91be0f1211b: netlink: Zero-initialize mbuf messages.

In D38098#865469, @markj wrote:

In D38098#865466, @melifaro wrote:

Thank you for working on that! It was on my list for quite some time. I was concerned a bit about performance & was thinking of measuring the different approaches. Anyway, let's make it safe first and work on improvements later.

One other approach might be to instead make nlmsg_reserve_object() and nlmsg_reserve_data() zero the buffer area. I suspect the overhead of zeroing is pretty close to negligible in either case though?

Yep. Re overhead - it depends. Full-view dump is hundreds of megabytes, mainly consisting of the attributes (which don't require zeroing). Anyway, it shouldn't be a _huge_ difference and can be addressed later.

melifaro added a commit: rG13e997289240: netlink: Zero-initialize mbuf messages.Feb 18 2023, 11:57 AM

melifaro added a commit: rG5eaad7c9c593: netlink: Zero-initialize mbuf messages.Feb 20 2023, 8:13 PM