| Message ID | 20230723075042.3709043-1-linma@zju.edu.cn |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:9010:0:b0:3e4:2afc:c1 with SMTP id l16csp1157693vqg;
Sun, 23 Jul 2023 01:18:45 -0700 (PDT)
X-Google-Smtp-Source:
APBJJlGY/P7I4wBoUB89cqrxLPPjp6GM2bUWg4QDv3nklMJUpyar/jZh7itxH5rkXixB/Ly2R4JN
X-Received: by 2002:a17:907:7616:b0:965:9602:1f07 with SMTP id
jx22-20020a170907761600b0096596021f07mr5917553ejc.39.1690100325670;
Sun, 23 Jul 2023 01:18:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690100325; cv=none;
d=google.com; s=arc-20160816;
b=Ely5VILrO0RO2Y1aR3juAEzHOGDEbnSTIzp93daB3f6d3ZB0DycIxfmW4JXdgepPva
1GsAonISRvAU/GQ6nUYpfQqDWp7mUHDHEXiTzZoTJ7oxwA3rE+n/57EnktwyeN8C5i4e
i8UG0YvNcO/C7WvPmBpRmdrNDjgmBX7uL92thUJYcPgesM8eQQzhzfR5sw1erKYSbO0c
SSyJxP7gVsunDXW35N6uG+SBaWxenD+sNtmjnm3/tD5GwxwE3ynZ4kssoQKifKRBR9T0
jWEA8Rh8ganjqgCev/cWU97PqoquvWMgFmurk6nbTubT19rVp6ArvaCROHqN0dNt/5T+
SqZw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:message-id:date:subject:cc:to:from;
bh=fLIT9jdlXfXViSrHT6hTnAIpvyx0w/C8Ni78ev1bsfg=;
fh=xvhTkoa+xb9qEoFskSwISa6TdLoYVIrLKWyOOPheDus=;
b=ewEBHEpxg9QW9UUqWUBYYlhss7/R74UJFzbMfKhvtlFpXcEJqt0mpR7V3/jj8yBkeD
u83IK1fQhT6GOjLLx19nGnx0QTjtchMrVGAE4D3FAtaJeRzKER4bQuudZSveGFSPlmty
HnhOCvq8ukPFgPs6yZwf5StdIIu1zG3AkFxtcpMWsUQs1tGYEMANksIXrx9tWmRjQo85
X8luEUdrvvrS8Q9J/76XVdkioJD6+epMv8Vc2o8qxTVUjhGpd0U7LbYVpyA6eWRqThZ6
wOBbMaaIm+5mMUU8J9xxHs73d9tH56cfzvsFP02ikikpo9X7NiUGsKIoDmUTixi/AStH
TsJA==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
s2-20020a1709060c0200b00992feaf6478si4858121ejf.1017.2023.07.23.01.18.14;
Sun, 23 Jul 2023 01:18:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229710AbjGWHvQ (ORCPT <rfc822;chrisben.tianve@gmail.com>
+ 99 others); Sun, 23 Jul 2023 03:51:16 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47522 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229468AbjGWHvP (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sun, 23 Jul 2023 03:51:15 -0400
Received: from zg8tmtu5ljg5lje1ms4xmtka.icoremail.net
(zg8tmtu5ljg5lje1ms4xmtka.icoremail.net [159.89.151.119])
by lindbergh.monkeyblade.net (Postfix) with ESMTP id 218ABB1;
Sun, 23 Jul 2023 00:51:12 -0700 (PDT)
Received: from localhost.localdomain (unknown [39.174.92.167])
by mail-app3 (Coremail) with SMTP id cC_KCgBXX5_U27xkT01_Cw--.18571S4;
Sun, 23 Jul 2023 15:50:46 +0800 (CST)
From: Lin Ma <linma@zju.edu.cn>
To: jesse.brandeburg@intel.com, anthony.l.nguyen@intel.com,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, richardcochran@gmail.com, ast@kernel.org,
daniel@iogearbox.net, hawk@kernel.org, john.fastabend@gmail.com,
intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: Lin Ma <linma@zju.edu.cn>
Subject: [PATCH v1] i40e: Add length check for IFLA_AF_SPEC parsing
Date: Sun, 23 Jul 2023 15:50:42 +0800
Message-Id: <20230723075042.3709043-1-linma@zju.edu.cn>
X-Mailer: git-send-email 2.17.1
X-CM-TRANSID: cC_KCgBXX5_U27xkT01_Cw--.18571S4
X-Coremail-Antispam: 1UD129KBjvJXoWrZw43Zr45JF4xJw18Jr13Jwb_yoW8JrW5pw
4UGa48urykXr15WayxJa10grZ5Xanxtry5WF43tws5uwn5t3WDGFyUCF98ury7ArWrC3ZI
yF1DAFy3uFs8XFUanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
9KBjDU0xBIdaVrnRJUUUvj14x267AKxVW5JVWrJwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U
JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc
CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E
2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV
W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2
Y2ka0xkIwI1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4
xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43
MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I
0E14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWU
JVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjfUOm
hFUUUUU
X-CM-SenderInfo: qtrwiiyqvtljo62m3hxhgxhubq/
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1772198638948467154
X-GMAIL-MSGID: 1772198638948467154
|
| Series |
[v1] i40e: Add length check for IFLA_AF_SPEC parsing
|
|
Commit Message
Lin Ma
July 23, 2023, 7:50 a.m. UTC
The nla_for_each_nested parsing in function i40e_ndo_bridge_setlink()
does not check the length of the attribute. This can lead to an
out-of-attribute read and allow a malformed nlattr (e.g., length 0) to
be viewed as a 2 byte integer.
This patch adds the check based on nla_len() just as other code does,
see how bnxt_bridge_setlink (drivers/net/ethernet/broadcom/bnxt/bnxt.c)
parses IFLA_AF_SPEC: type checking plus length checking.
Fixes: 51616018dd1b ("i40e: Add support for getlink, setlink ndo ops")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++
1 file changed, 3 insertions(+)
Comments
On Sun, Jul 23, 2023 at 03:50:42PM +0800, Lin Ma wrote: > The nla_for_each_nested parsing in function i40e_ndo_bridge_setlink() > does not check the length of the attribute. This can lead to an > out-of-attribute read and allow a malformed nlattr (e.g., length 0) to > be viewed as a 2 byte integer. > > This patch adds the check based on nla_len() just as other code does, > see how bnxt_bridge_setlink (drivers/net/ethernet/broadcom/bnxt/bnxt.c) > parses IFLA_AF_SPEC: type checking plus length checking. > > Fixes: 51616018dd1b ("i40e: Add support for getlink, setlink ndo ops") > Signed-off-by: Lin Ma <linma@zju.edu.cn> > --- > drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c > index 29ad1797adce..6363357bdeeb 100644 > --- a/drivers/net/ethernet/intel/i40e/i40e_main.c > +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c > @@ -13186,6 +13186,9 @@ static int i40e_ndo_bridge_setlink(struct net_device *dev, > if (nla_type(attr) != IFLA_BRIDGE_MODE) > continue; > > + if (nla_len(attr) < sizeof(mode)) > + return -EINVAL; > + I see that you added this hunk to all users of nla_for_each_nested(), it will be great to make that iterator to skip such empty attributes. However, i don't know nettlink good enough to say if your change is valid in first place. Thanks > mode = nla_get_u16(attr); > if ((mode != BRIDGE_MODE_VEPA) && > (mode != BRIDGE_MODE_VEB)) > -- > 2.17.1 > >
On Mon, 24 Jul 2023 20:44:35 +0300 Leon Romanovsky wrote: > > @@ -13186,6 +13186,9 @@ static int i40e_ndo_bridge_setlink(struct net_device *dev, > > if (nla_type(attr) != IFLA_BRIDGE_MODE) > > continue; > > > > + if (nla_len(attr) < sizeof(mode)) > > + return -EINVAL; > > + > > I see that you added this hunk to all users of nla_for_each_nested(), it > will be great to make that iterator to skip such empty attributes. > > However, i don't know nettlink good enough to say if your change is > valid in first place. Empty attributes are valid, we can't do that. But there's a loop in rtnl_bridge_setlink() which checks the attributes. We can add the check there instead of all users, as Leon points out. (Please just double check that all ndo_bridge_setlink implementation expect this value to be a u16, they should/)
Hello Jakub, > On Mon, 24 Jul 2023 20:44:35 +0300 Leon Romanovsky wrote: > > > @@ -13186,6 +13186,9 @@ static int i40e_ndo_bridge_setlink(struct net_device *dev, > > > if (nla_type(attr) != IFLA_BRIDGE_MODE) > > > continue; > > > > > > + if (nla_len(attr) < sizeof(mode)) > > > + return -EINVAL; > > > + > > > > I see that you added this hunk to all users of nla_for_each_nested(), it > > will be great to make that iterator to skip such empty attributes. > > > > However, i don't know nettlink good enough to say if your change is > > valid in first place. > > Empty attributes are valid, we can't do that. > > But there's a loop in rtnl_bridge_setlink() which checks the attributes. Cool, I will check this out and prepare another patch. > We can add the check there instead of all users, as Leon points out. > (Please just double check that all ndo_bridge_setlink implementation > expect this value to be a u16, they should/) Okay, I will finish that ASAP > -- > pw-bot: cr Regards Lin
On Mon, Jul 24, 2023 at 02:21:55PM -0700, Jakub Kicinski wrote: > On Mon, 24 Jul 2023 20:44:35 +0300 Leon Romanovsky wrote: > > > @@ -13186,6 +13186,9 @@ static int i40e_ndo_bridge_setlink(struct net_device *dev, > > > if (nla_type(attr) != IFLA_BRIDGE_MODE) > > > continue; > > > > > > + if (nla_len(attr) < sizeof(mode)) > > > + return -EINVAL; > > > + > > > > I see that you added this hunk to all users of nla_for_each_nested(), it > > will be great to make that iterator to skip such empty attributes. > > > > However, i don't know nettlink good enough to say if your change is > > valid in first place. > > Empty attributes are valid, we can't do that. Maybe Lin can add special version of nla_for_each_nested() which will skip these empty NLAs, for code which don't allow empty attributes. > > But there's a loop in rtnl_bridge_setlink() which checks the attributes. > We can add the check there instead of all users, as Leon points out. > (Please just double check that all ndo_bridge_setlink implementation > expect this value to be a u16, they should/) > -- > pw-bot: cr
On Tue, 25 Jul 2023 08:40:46 +0300 Leon Romanovsky wrote: > > Empty attributes are valid, we can't do that. > > Maybe Lin can add special version of nla_for_each_nested() which will > skip these empty NLAs, for code which don't allow empty attributes. It's way too arbitrary. Empty attrs are 100% legit, they are called NLA_FLAG in policy parlance. They are basically a boolean.
On Tue, Jul 25, 2023 at 09:53:27AM -0700, Jakub Kicinski wrote: > On Tue, 25 Jul 2023 08:40:46 +0300 Leon Romanovsky wrote: > > > Empty attributes are valid, we can't do that. > > > > Maybe Lin can add special version of nla_for_each_nested() which will > > skip these empty NLAs, for code which don't allow empty attributes. > > It's way too arbitrary. Empty attrs are 100% legit, they are called > NLA_FLAG in policy parlance. They are basically a boolean. I afraid that these nla_length() checks will be copied all other the kernel without any understanding and netlink API doesn't really provide any hint when length checks are needed and when they don't. Thank
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c index 29ad1797adce..6363357bdeeb 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_main.c +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c @@ -13186,6 +13186,9 @@ static int i40e_ndo_bridge_setlink(struct net_device *dev, if (nla_type(attr) != IFLA_BRIDGE_MODE) continue; + if (nla_len(attr) < sizeof(mode)) + return -EINVAL; + mode = nla_get_u16(attr); if ((mode != BRIDGE_MODE_VEPA) && (mode != BRIDGE_MODE_VEB))