Message ID | 20230725022151.417450-1-linma@zju.edu.cn |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9010:0:b0:3e4:2afc:c1 with SMTP id l16csp2188652vqg; Mon, 24 Jul 2023 19:36:50 -0700 (PDT) X-Google-Smtp-Source: APBJJlHRi6Llozomu06NIuIk2UC6WKiJZMP2l3tG6nrN9AibHXYBk7+ceZakcIUf4wj7VpRnrFoU X-Received: by 2002:a17:906:15b:b0:98e:37fe:691b with SMTP id 27-20020a170906015b00b0098e37fe691bmr11874916ejh.34.1690252610231; Mon, 24 Jul 2023 19:36:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690252610; cv=none; d=google.com; s=arc-20160816; b=KvTeoE4nWQcWsz+uRVFrCB+aPOYYfEMdwblv8Xtvi6r9vA0nAZweEJnIRxkj+IL2ri jIh/lpkGeiIBgvrUWmrTMFXFeEZqz8h3YnrxFpeIPoDXbE/88iJcjQoDgf/ydfxQxDUF uf/8zwkrvdUbq6MIEBhsYCvuwjvlS0nXdhJYYftKRYq3GYIIR2r2uSXzKitjXXxyMp2+ Saz8IBz7ul7uO9H/0JjmSs8g2D9v+jAQO7wEZ+XtBk79s2ooqLhC9Wc5ryix/F+gZm1H e+gMf7aceaiMqCEFiuTNcyz5cgM19o35/C73z+luqA4ecCZti6gfC959djWdWJgEDyOl 2xOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from; bh=5YAV0PMx+igOvoJi731DExB9N0FHExUugtKCP1kVKuI=; fh=KlB3vWSu0lIFrdWbXRXV7nsdWp8gJ5u2+BS0EOffnVo=; b=qBe8utgsSJyUKnl/+C8zyIkHj04TJTdky8KGhDjHbMGaCNBCbo1wKGCBuIZGcNWB5N wxJpQfb2CWQL++GRIrA0BLu83n4e60lOQpP/A90JULhhJ6yVk8JpsjX1DW+0NUqSMfnr t8xswtMu6TdTFodfy9CQOb2wBlhuzw2GIxGkDgn/bO2GQdiuoLOWW84QCuaBFRmj0nlN KAPgcg55xIfkQJBvsf31Ph4J4v6jtt3/gmddtb5sT6zsVzJw7wqIgXYOLG2TNg5R1qCZ 3Rd381iKd65SSoIa7xx/Ym9XPCibiARJyqjBboSn4DLQReJ1OzHCmEbXSdoP+LB4S09W 612Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o5-20020a17090637c500b0099233cac125si7575298ejc.915.2023.07.24.19.36.26; Mon, 24 Jul 2023 19:36:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230190AbjGYCWb (ORCPT <rfc822;kautuk.consul.80@gmail.com> + 99 others); Mon, 24 Jul 2023 22:22:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60422 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229452AbjGYCW3 (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Mon, 24 Jul 2023 22:22:29 -0400 Received: from azure-sdnproxy.icoremail.net (azure-sdnproxy.icoremail.net [207.46.229.174]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BF068CD; Mon, 24 Jul 2023 19:22:25 -0700 (PDT) Received: from localhost.localdomain (unknown [39.174.92.167]) by mail-app3 (Coremail) with SMTP id cC_KCgA3HbzAMb9kOIKkCw--.4468S4; Tue, 25 Jul 2023 10:21:53 +0800 (CST) From: Lin Ma <linma@zju.edu.cn> To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, razor@blackwall.org, idosch@nvidia.com, lucien.xin@gmail.com, liuhangbin@gmail.com, edwin.peer@broadcom.com, jiri@resnulli.us, md.fahad.iqbal.polash@intel.com, anirudh.venkataramanan@intel.com, jeffrey.t.kirsher@intel.com, neerav.parikh@intel.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Lin Ma <linma@zju.edu.cn> Subject: [PATCH v1] rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length Date: Tue, 25 Jul 2023 10:21:51 +0800 Message-Id: <20230725022151.417450-1-linma@zju.edu.cn> X-Mailer: git-send-email 2.17.1 X-CM-TRANSID: cC_KCgA3HbzAMb9kOIKkCw--.4468S4 X-Coremail-Antispam: 1UD129KBjvJXoW7Zr4rAw15KF4Dtr45WrWkXrb_yoW8XF4xpa 4rKa4xJF1DXr97Za17AFyrX3s7ZFZIgrW5Wr42ywn2yF9YqFyUCr98CFn0vry3AFsIqa43 tr17Gr1avr1DGFDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkE14x267AKxVW5JVWrJwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4U JVW0owA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0 I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r 4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwACI402YVCY1x02628v n2kIc2xKxwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F4 0E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_GFv_Wryl IxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxV AFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j 6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUQvt AUUUUU= X-CM-SenderInfo: qtrwiiyqvtljo62m3hxhgxhubq/ X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772358321103315862 X-GMAIL-MSGID: 1772358321103315862 |
Series |
[v1] rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length
|
|
Commit Message
Lin Ma
July 25, 2023, 2:21 a.m. UTC
There are totally 9 ndo_bridge_setlink handlers in the current kernel,
which are 1) bnxt_bridge_setlink, 2) be_ndo_bridge_setlink 3)
i40e_ndo_bridge_setlink 4) ice_bridge_setlink 5)
ixgbe_ndo_bridge_setlink 6) mlx5e_bridge_setlink 7)
nfp_net_bridge_setlink 8) qeth_l2_bridge_setlink 9) br_setlink.
By investigating the code, we find that 1-7 parse and use nlattr
IFLA_BRIDGE_MODE but 3 and 4 forget to do the nla_len check. This can
lead to an out-of-attribute read and allow a malformed nlattr (e.g.,
length 0) to be viewed as a 2 byte integer.
To avoid such issues, also for other ndo_bridge_setlink handlers in the
future. This patch adds the nla_len check in rtnl_bridge_setlink and
does an early error return if length mismatches.
Fixes: b1edc14a3fbf ("ice: Implement ice_bridge_getlink and ice_bridge_setlink")
Fixes: 51616018dd1b ("i40e: Add support for getlink, setlink ndo ops")
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Lin Ma <linma@zju.edu.cn>
---
net/core/rtnetlink.c | 5 +++++
1 file changed, 5 insertions(+)
Comments
On Tue, Jul 25, 2023 at 10:21:51AM +0800, Lin Ma wrote: > There are totally 9 ndo_bridge_setlink handlers in the current kernel, > which are 1) bnxt_bridge_setlink, 2) be_ndo_bridge_setlink 3) > i40e_ndo_bridge_setlink 4) ice_bridge_setlink 5) > ixgbe_ndo_bridge_setlink 6) mlx5e_bridge_setlink 7) > nfp_net_bridge_setlink 8) qeth_l2_bridge_setlink 9) br_setlink. > > By investigating the code, we find that 1-7 parse and use nlattr > IFLA_BRIDGE_MODE but 3 and 4 forget to do the nla_len check. This can > lead to an out-of-attribute read and allow a malformed nlattr (e.g., > length 0) to be viewed as a 2 byte integer. > > To avoid such issues, also for other ndo_bridge_setlink handlers in the > future. This patch adds the nla_len check in rtnl_bridge_setlink and > does an early error return if length mismatches. > > Fixes: b1edc14a3fbf ("ice: Implement ice_bridge_getlink and ice_bridge_setlink") > Fixes: 51616018dd1b ("i40e: Add support for getlink, setlink ndo ops") > Suggested-by: Jakub Kicinski <kuba@kernel.org> > Signed-off-by: Lin Ma <linma@zju.edu.cn> > --- > net/core/rtnetlink.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c > index 3ad4e030846d..1e51291007ea 100644 > --- a/net/core/rtnetlink.c > +++ b/net/core/rtnetlink.c > @@ -5148,6 +5148,11 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, > flags = nla_get_u16(attr); > break; > } If we got attr tIFLA_BRIDGE_FLAGS first, it will break here and not check the later IFLA_BRIDGE_MODE. > + > + if (nla_type(attr) == IFLA_BRIDGE_MODE) { > + if (nla_len(attr) < sizeof(u16)) > + return -EINVAL; > + } > } > } Thanks Hangbin
Hello Hangbin, > > If we got attr tIFLA_BRIDGE_FLAGS first, it will break here and not check > the later IFLA_BRIDGE_MODE. > > > + > > + if (nla_type(attr) == IFLA_BRIDGE_MODE) { > > + if (nla_len(attr) < sizeof(u16)) > > + return -EINVAL; > > + } > > } > > } > > Thanks > Hangbin Yeah, you are soooo right, will fix this ASAP Regards Lin
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 3ad4e030846d..1e51291007ea 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -5148,6 +5148,11 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, flags = nla_get_u16(attr); break; } + + if (nla_type(attr) == IFLA_BRIDGE_MODE) { + if (nla_len(attr) < sizeof(u16)) + return -EINVAL; + } } }