From patchwork Thu Dec 19 21:58:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Petr_=C5=A0tetiar?= X-Patchwork-Id: 1213739 X-Patchwork-Delegate: ynezz@true.cz Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=true.cz Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="eh/z0H/0"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47f5V65DJkz9sPL for ; Fri, 20 Dec 2019 09:03:10 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:References: In-Reply-To:Message-Id:Date:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=MWvf7fUTc+EQymGwhZMpYTjFmZVhkh7Tc5eR1gGuDVg=; b=eh/z0H/0GjI4TM 1HDMlKaAExBUDdSfoG6YPWgRFOIcU8th51sJMcu4ZkAFdAnCeeIqxTfgaVii93O99G5hYZ2+7UQdi d2Yjw0a6MU1EMIDh4zYbbm4pAc7hgoof882WV9FVKObC9CDMWDzZLfT9JPT0aMTCkDuGe6GxcfbUU 0nyoGs+41YoCQnyv7cknqL+2UyX1Vb15j3wE/ReWQV1NLbH3mhEOLmR6MAqG92RB3y862YhSiIUjX RZaGREnlrypuuuHg4o2J3eYY8lFIjk+Ol7ppFFwE3JlxC/MInenkRI563fimS6dalhSAl5eUilyzt 6svrU0aZW1oH0Giyja/A==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1ii3sy-00019e-2y; Thu, 19 Dec 2019 22:03:08 +0000 Received: from smtp-out.xnet.cz ([178.217.244.18]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1ii3ou-0000xb-2B for openwrt-devel@lists.openwrt.org; Thu, 19 Dec 2019 21:59:00 +0000 Received: from meh.true.cz (meh.true.cz [108.61.167.218]) (Authenticated sender: petr@true.cz) by smtp-out.xnet.cz (Postfix) with ESMTPSA id EFEF64B58; Thu, 19 Dec 2019 22:58:52 +0100 (CET) Received: by meh.true.cz (OpenSMTPD) with ESMTP id 54394f59; Thu, 19 Dec 2019 22:58:39 +0100 (CET) From: =?utf-8?q?Petr_=C5=A0tetiar?= To: openwrt-devel@lists.openwrt.org Date: Thu, 19 Dec 2019 22:58:34 +0100 Message-Id: <20191219215836.21773-19-ynezz@true.cz> In-Reply-To: <20191219215836.21773-1-ynezz@true.cz> References: <20191219215836.21773-1-ynezz@true.cz> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20191219_135856_307415_13C7B537 X-CRM114-Status: GOOD ( 10.92 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [178.217.244.18 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record Subject: [OpenWrt-Devel] [PATCH libubox 18/20] blobmsg: add _len variants for all attribute checking methods X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?q?Petr_=C5=A0tetiar?= , Tobias Schramm Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Tobias Schramm Introduce _len variants of blobmsg attribute checking functions which aims to provide safer implementation as those functions should limit all memory accesses performed on the blob to the range [attr, attr + len] (upper bound non inclusive) and thus should be suited for checking of untrusted blob attributes. While at it add some comments in order to make it clear. Signed-off-by: Tobias Schramm [_safe -> _len, blobmsg_check_array_len fix, commit subject/desc facelift] Signed-off-by: Petr Štetiar --- blobmsg.c | 21 ++++++++++++++++++--- blobmsg.h | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 72 insertions(+), 4 deletions(-) diff --git a/blobmsg.c b/blobmsg.c index fbc6d2de9135..7cd0934600de 100644 --- a/blobmsg.c +++ b/blobmsg.c @@ -100,12 +100,22 @@ bool blobmsg_check_attr_len(const struct blob_attr *attr, bool name, size_t len) } int blobmsg_check_array(const struct blob_attr *attr, int type) +{ + return blobmsg_check_array_len(attr, type, blob_raw_len(attr)); +} + +int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len) { struct blob_attr *cur; bool name; - size_t rem; int size = 0; + if (type > BLOBMSG_TYPE_LAST) + return -1; + + if (!blobmsg_check_attr_len(attr, false, len)) + return -1; + switch (blobmsg_type(attr)) { case BLOBMSG_TYPE_TABLE: name = true; @@ -117,11 +127,11 @@ int blobmsg_check_array(const struct blob_attr *attr, int type) return -1; } - blobmsg_for_each_attr(cur, attr, rem) { + __blobmsg_for_each_attr(cur, attr, len) { if (type != BLOBMSG_TYPE_UNSPEC && blobmsg_type(cur) != type) return -1; - if (!blobmsg_check_attr(cur, name)) + if (!blobmsg_check_attr_len(cur, name, len)) return -1; size++; @@ -135,6 +145,11 @@ bool blobmsg_check_attr_list(const struct blob_attr *attr, int type) return blobmsg_check_array(attr, type) >= 0; } +bool blobmsg_check_attr_list_len(const struct blob_attr *attr, int type, size_t len) +{ + return blobmsg_check_array_len(attr, type, len) >= 0; +} + int blobmsg_parse_array(const struct blobmsg_policy *policy, int policy_len, struct blob_attr **tb, void *data, unsigned int len) { diff --git a/blobmsg.h b/blobmsg.h index c44015942a37..af88c1feb86f 100644 --- a/blobmsg.h +++ b/blobmsg.h @@ -104,19 +104,66 @@ static inline size_t blobmsg_len(const struct blob_attr *attr) return blobmsg_data_len(attr); } +/* + * blobmsg_check_attr: validate a list of attributes + * + * This method may be used with trusted data only. Providing + * malformed blobs will cause out of bounds memory access. + */ bool blobmsg_check_attr(const struct blob_attr *attr, bool name); -bool blobmsg_check_attr_list(const struct blob_attr *attr, int type); +/* + * blobmsg_check_attr_len: validate a list of attributes + * + * This method should be safer implementation of blobmsg_check_attr. + * It will limit all memory access performed on the blob to the + * range [attr, attr + len] (upper bound non inclusive) and is + * thus suited for checking of untrusted blob attributes. + */ bool blobmsg_check_attr_len(const struct blob_attr *attr, bool name, size_t len); +/* + * blobmsg_check_attr_list: validate a list of attributes + * + * This method may be used with trusted data only. Providing + * malformed blobs will cause out of bounds memory access. + */ +bool blobmsg_check_attr_list(const struct blob_attr *attr, int type); + +/* + * blobmsg_check_attr_list_len: validate a list of untrusted attributes + * + * This method should be safer implementation of blobmsg_check_attr_list. + * It will limit all memory access performed on the blob to the + * range [attr, attr + len] (upper bound non inclusive) and is + * thus suited for checking of untrusted blob attributes. + */ +bool blobmsg_check_attr_list_len(const struct blob_attr *attr, int type, size_t len); + /* * blobmsg_check_array: validate array/table and return size * * Checks if all elements of an array or table are valid and have * the specified type. Returns the number of elements in the array + * + * This method may be used with trusted data only. Providing + * malformed blobs will cause out of bounds memory access. */ int blobmsg_check_array(const struct blob_attr *attr, int type); +/* + * blobmsg_check_array_len: validate untrusted array/table and return size + * + * Checks if all elements of an array or table are valid and have + * the specified type. Returns the number of elements in the array. + * + * This method should be safer implementation of blobmsg_check_array. + * It will limit all memory access performed on the blob to the + * range [attr, attr + len] (upper bound non inclusive) and is + * thus suited for checking of untrusted blob attributes. + */ +int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len); + int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len, struct blob_attr **tb, void *data, unsigned int len); int blobmsg_parse_array(const struct blobmsg_policy *policy, int policy_len, @@ -272,4 +319,10 @@ int blobmsg_printf(struct blob_buf *buf, const char *name, const char *format, . (blob_pad_len(pos) >= sizeof(struct blob_attr)); \ rem -= blob_pad_len(pos), pos = blob_next(pos)) +#define __blobmsg_for_each_attr(pos, attr, rem) \ + for (pos = (struct blob_attr *) (attr ? blobmsg_data(attr) : NULL); \ + rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \ + (blob_pad_len(pos) >= sizeof(struct blob_attr)); \ + rem -= blob_pad_len(pos), pos = blob_next(pos)) + #endif