| Message ID | 20230110091450.21696-1-abelova@astralinux.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4e01:0:0:0:0:0 with SMTP id p1csp2641177wrt;
Tue, 10 Jan 2023 01:17:11 -0800 (PST)
X-Google-Smtp-Source:
AMrXdXvT2bmdrDq/gVxmjmCN+ND59Lhmk2vvh/rOVEbkzJxYjQ5bmp9TB6cNLtGsID5Y2SRIaUsh
X-Received: by 2002:a17:906:99d1:b0:7c0:ff76:dc12 with SMTP id
s17-20020a17090699d100b007c0ff76dc12mr42033423ejn.2.1673342231447;
Tue, 10 Jan 2023 01:17:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1673342231; cv=none;
d=google.com; s=arc-20160816;
b=CMk+X1CNSubjXENRLtSyceF6rttrk9epKHXFtFBSTeuBa8pn6r1UD5G8rEN1Y9Isqa
tssKdoijrr076cskPfTKLWubLIgqtED+W0bNYmG9T3ap0xE7LMimwhI2edMIG/Oz9PW/
Za/7ow/XM9NQBbx5Ewjrf6QKt7g7q5Q+nNzaVKV0kY/hacqjsV29/h3IwhEdNLLUSxfV
IBpwz4aDgfzBRdLdRW13/BgoGVHhyQNVjyQEwspO1nG6Kwsuad0T6QulYIWVozdeWZgy
aI4evvpZ7TT28JP5THPIne8DxipBSFLgahAuzZBADklHfDX33nc4tSDFfiVXMxU1/mOZ
Jo0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=T+uWJ0sslzSYeejkmVTlrud+eDuJOmtAG8iFe8Gy9XI=;
b=wB+WyU18nsjWCiu8dUhFZ/TtfwBr3FKdmhjYjUAPUU+k52gLMlyNaqHDQZ3YdiwDqm
q25SesX+uxxZLkNZc54TOs6VBi44+CA0lHwF/BcZVMPZyaYpThpviarptta2e/O9Jqwu
l1OnuvkVXvOp63msv0a4Vo2xZoQc9GzY7RRqAr/vegYj5HJJf/KF8uIrQcshnl2k8tBl
cUVjCCyJePN4RPFSJ/6CVSWp8866tQNaM/MMc684g8OZa8+TlYXc18VxJghpuSl8WU80
Dp+686dg7CcfRq1UWCQOwZ/njHfGRtKDfpm/gpJ1XPQ8zgOhIsUHDAHoqhcOGx0MZtoe
9L2Q==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
o21-20020a170906975500b0084d1323cf70si12243737ejy.599.2023.01.10.01.16.47;
Tue, 10 Jan 2023 01:17:11 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231693AbjAJJPJ (ORCPT <rfc822;syz17693488234@gmail.com>
+ 99 others); Tue, 10 Jan 2023 04:15:09 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60278 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231649AbjAJJPA (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 10 Jan 2023 04:15:00 -0500
Received: from mail.astralinux.ru (mail.astralinux.ru [217.74.38.119])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2B2BD4EC94;
Tue, 10 Jan 2023 01:14:57 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
by mail.astralinux.ru (Postfix) with ESMTP id CD4821864572;
Tue, 10 Jan 2023 12:14:54 +0300 (MSK)
Received: from mail.astralinux.ru ([127.0.0.1])
by localhost (rbta-msk-vsrv-mail01.astralinux.ru [127.0.0.1])
(amavisd-new, port 10032)
with ESMTP id F9XLH-le2lZG; Tue, 10 Jan 2023 12:14:54 +0300 (MSK)
Received: from localhost (localhost [127.0.0.1])
by mail.astralinux.ru (Postfix) with ESMTP id 8241418643D6;
Tue, 10 Jan 2023 12:14:54 +0300 (MSK)
X-Virus-Scanned: amavisd-new at astralinux.ru
Received: from mail.astralinux.ru ([127.0.0.1])
by localhost (rbta-msk-vsrv-mail01.astralinux.ru [127.0.0.1])
(amavisd-new, port 10026)
with ESMTP id WcjL9nXLjwvC; Tue, 10 Jan 2023 12:14:54 +0300 (MSK)
Received: from rbta-msk-lt-106062.astralinux.ru (unknown [10.177.20.58])
by mail.astralinux.ru (Postfix) with ESMTPSA id AA1A91863E47;
Tue, 10 Jan 2023 12:14:53 +0300 (MSK)
From: Anastasia Belova <abelova@astralinux.ru>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Anastasia Belova <abelova@astralinux.ru>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Dmitry Safonov <0x7f454c46@gmail.com>, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org
Subject: [PATCH] xfrm: compat: change expression for switch in xfrm_xlate64
Date: Tue, 10 Jan 2023 12:14:50 +0300
Message-Id: <20230110091450.21696-1-abelova@astralinux.ru>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1754626503279837893?=
X-GMAIL-MSGID: =?utf-8?q?1754626503279837893?=
|
| Series |
xfrm: compat: change expression for switch in xfrm_xlate64
|
|
Commit Message
Anastasia Belova
Jan. 10, 2023, 9:14 a.m. UTC
Compare XFRM_MSG_NEWSPDINFO (value from netlink
configuration messages enum) with nlh_src->nlmsg_type
instead of nlh_src->nlmsg_type - XFRM_MSG_BASE.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 4e9505064f58 ("net/xfrm/compat: Copy xfrm_spdattr_type_t atributes")
Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
---
net/xfrm/xfrm_compat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On 1/10/23 09:14, Anastasia Belova wrote: > Compare XFRM_MSG_NEWSPDINFO (value from netlink > configuration messages enum) with nlh_src->nlmsg_type > instead of nlh_src->nlmsg_type - XFRM_MSG_BASE. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. Nice find! Looking at the details: xfrm_xlate64() is for translating 64-bit kernel-issued message to 32-bit userspace ABI. The message is XFRM_MSG_NEWSPDINFO and there's a selftest that checks if the attributes (thresh valued) were correctly translated in tools/testing/selftests/net/ipsec.c So, I was interested in how did it go unnoticed? The switch here is to differ XFRMA_* attributes from XFRMA_SPD_* attributes, which can be just copied as they are as they occupy the same space on 64-bit as well as on 32-bit. enum xfrm_spdattr_type_t { XFRMA_SPD_UNSPEC, XFRMA_SPD_INFO, XFRMA_SPD_HINFO, XFRMA_SPD_IPV4_HTHRESH, XFRMA_SPD_IPV6_HTHRESH, __XFRMA_SPD_MAX }; attributes went through xfrm_xlate64_attr() instead of just being copied. That worked in result as case XFRMA_UNSPEC: case XFRMA_ALG_AUTH: case XFRMA_ALG_CRYPT: case XFRMA_ALG_COMP: case XFRMA_ENCAP: case XFRMA_TMPL: return xfrm_nla_cpy(dst, src, nla_len(src)); are equal by value (XFRMA_UNSPEC == 0 == XFRMA_SPD_UNSPEC) and so on. So, in result, even with this typo the code worked. What about the reverse case, what was being copied by this XFRM_MSG_NEWSPDINFO case? XFRM_MSG_NEWSPDINFO == 0x24 So, before this patch (XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE) == 0x14 == XFRM_MSG_DELPOLICY type of messages would fit this switch case. Luckily enough, kernel doesn't send back XFRM_MSG_DELPOLICY messages to userspace. That's how it went unnoticed, by unexpectedly still working. > Fixes: 4e9505064f58 ("net/xfrm/compat: Copy xfrm_spdattr_type_t atributes") > Signed-off-by: Anastasia Belova <abelova@astralinux.ru> Thanks for the patch, Acked-by: Dmitry Safonov <0x7f454c46@gmail.com> Tested-by: Dmitry Safonov <0x7f454c46@gmail.com> > --- > net/xfrm/xfrm_compat.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c > index a0f62fa02e06..12405aa5bce8 100644 > --- a/net/xfrm/xfrm_compat.c > +++ b/net/xfrm/xfrm_compat.c > @@ -302,7 +302,7 @@ static int xfrm_xlate64(struct sk_buff *dst, const struct nlmsghdr *nlh_src) > nla_for_each_attr(nla, attrs, len, remaining) { > int err; > > - switch (type) { > + switch (nlh_src->nlmsg_type) { > case XFRM_MSG_NEWSPDINFO: > err = xfrm_nla_cpy(dst, nla, nla_len(nla)); > break;
On Tue, Jan 10, 2023 at 12:14:50PM +0300, Anastasia Belova wrote: > Compare XFRM_MSG_NEWSPDINFO (value from netlink > configuration messages enum) with nlh_src->nlmsg_type > instead of nlh_src->nlmsg_type - XFRM_MSG_BASE. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 4e9505064f58 ("net/xfrm/compat: Copy xfrm_spdattr_type_t atributes") > Signed-off-by: Anastasia Belova <abelova@astralinux.ru> Applied, thanks a lot Anastasia!
diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c index a0f62fa02e06..12405aa5bce8 100644 --- a/net/xfrm/xfrm_compat.c +++ b/net/xfrm/xfrm_compat.c @@ -302,7 +302,7 @@ static int xfrm_xlate64(struct sk_buff *dst, const struct nlmsghdr *nlh_src) nla_for_each_attr(nla, attrs, len, remaining) { int err; - switch (type) { + switch (nlh_src->nlmsg_type) { case XFRM_MSG_NEWSPDINFO: err = xfrm_nla_cpy(dst, nla, nla_len(nla)); break;