Comments (7)
Are there more details?
from libnl.
Are there more details?
a function called 'nla_parse', do not check the len of para, it will check nla_type (which can be controlled by userspace) with 'maxtype' (in this case, it is GSCAN_MAX), then it access polciy array 'policy[type]', which OOB access happens.Product: AndroidVersions: Android SoCAndroid ID: A-238379819
This is the link to the NVD, https://nvd.nist.gov/vuln/detail/CVE-2022-20385
https://ubuntu.com/security/CVE-2022-20385
from libnl.
That explanation is not sufficient (for me). I don't see how that's the case.
The code is here.
In particular, nla_for_each_attr()
calls nla_ok()
, which checks the length.
Might it be that Android forked nla_parse() and has different code? Or that it doesn't actually use libnl, but a similar code?
from libnl.
@thom311 Also there is a "Note" on https://security-tracker.debian.org/tracker/CVE-2022-20385 which says "NOT-FOR-US: Android".
Not being familiar with Android development I have been trying to track this distinction down. Where, if I can find the actual code that is in question then maybe it can be addressed.
So far this is the only place I can see it being used:
https://android.googlesource.com/platform/external/libnl/
And the diff between the files android/lib/attr.c
and libnl/lib/attr.c
:
3,9d2
< * lib/attr.c Netlink Attributes
< *
< * This library is free software; you can redistribute it and/or
< * modify it under the terms of the GNU Lesser General Public
< * License as published by the Free Software Foundation version 2.1
< * of the License.
< *
260c253
< goto errout;
---
> return err;
270c263
< if (rem > 0)
---
> if (rem > 0) {
272a266
> }
274,276c268
< err = 0;
< errout:
< return err;
---
> return 0;
551a544,546
> if (nl_addr_get_len(addr) == 0)
> return -NLE_INVAL;
>
So with most of their version being versioned as 3.0 the source I cloned from their repository has been patched quite a bit.
@thom311 If I can be of more assistance please let me know. I have been looking over the differences between your library and their fork.
from libnl.
I will pay attention to the follow-up of this CVE. I am not involved in the Android community. How to use this interface needs to be further understood. Thank you for your reply.
from libnl.
@chengyechun to be clear the CVE is concerned with a fork of this codebase. The changes were made that differ from what is here.
from libnl.
I close this issue, as I think we agree that it does not affect the source in this repository.
If you disagree, please reopen or send a patch. Thank you.
from libnl.
Related Issues (20)
- Warnings about missing symbol when building with mold linker HOT 11
- Get all SP policies
- Zero counter IPCTNL_MSG_CT_GET_CTRZERO while listing does not work HOT 2
- Build failed HOT 2
- Is the comment for nl_nh_group_info correct? HOT 2
- InvalidFree and InvalidRead in Valgrind when linked against libnl HOT 3
- libnl-3.8.0 fails checks HOT 6
- need help with rtnl_route_add without gateway but a subnet HOT 3
- need help about rtnl_route_nh_set_via HOT 1
- support linux altname
- error: storage size of 'tm_buf' isn't known due to missing #include <time.h> HOT 1
- 2nd RTM_NEWLINK notification with operstate down is always 1 second delayed HOT 3
- Question: how are multiple VLANs in a bridge with VLAN filtering mode represented
- bridge object in link cache may get replaced by an incomplete object HOT 3
- Package for RHEL HOT 3
- Question: message request type for adding/deleting vlan id on port
- mdb implementation inefficient HOT 3
- Test failure on 3.9.0: `tests/nl-test-util.c:128:S:Core:test_create_iface:0: assert(r == 0) failed (errno=1, Operation not permitted)` HOT 1
- tc flower, set flowid
- Causes for TSF never increasing ?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from libnl.