From patchwork Sun Jul 23 07:52:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lin Ma X-Patchwork-Id: 124428 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9010:0:b0:3e4:2afc:c1 with SMTP id l16csp1159038vqg; Sun, 23 Jul 2023 01:23:43 -0700 (PDT) X-Google-Smtp-Source: APBJJlFPrEr2MCIh6YH15YVVsH2VllLB7hSjbTBmH/wjNsdTpyVJjh0pwRcr+1XEBMRmV0lMDQUz X-Received: by 2002:a17:902:b196:b0:1b8:8728:d776 with SMTP id s22-20020a170902b19600b001b88728d776mr8491856plr.0.1690100623218; Sun, 23 Jul 2023 01:23:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690100623; cv=none; d=google.com; s=arc-20160816; b=aloxrIbp/Pe4T8OPT75KxZ5X+kZtVif7Sq+sb3M5eeAa03NmXCeT2i34aacn4d+p7g soTHdxrfPMQmsShhOvP4/XHOh9o/qL9+036eEFbEkHh2U5L6V6qUSH5sEOzttYrnCcCR KcbL+vIOzz0sACTU9nSEd7NaNHlsoEubo8nFFJQmZKS7ii06J4XRY0i147tTjwSCY3Lu +mUoJ91/gKtQQQXaBzm1hY3SFkmm4NpRBGC8DPmuqIInL1GqkeSWfLjjQ8ENoazMrIaJ O7EqK+R5Iz8ZgT0hA2Vio2VsK+qHRKfnln+k84QshI0JmT+FogwCxlChwYds8SKHxNoU 1rLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from; bh=dtIyuHT9VTD1PeRO1EkjsqzO7Jyn+0Q9aRZCduwfYeQ=; fh=xvhTkoa+xb9qEoFskSwISa6TdLoYVIrLKWyOOPheDus=; b=EUpLblQ045TYFpip34vgus7VgieQ5isBxv+P4qPBTTkuaycq/qmnlhYDUeCsBoyfqw DsYNl8NPzB2OWlUgSrSJkAe1MEQZtXSyvasgvVOpcOctxZ8DJ7phjexkVy0WtP5KyZZb pwJ/nhGx/reXbKlmEl2t6rlQxOG4gH/1S5iz2cQT1VBbxvU4Z0Jif1fCiowyMh4As1Nq cspgjzH2uRZNHlFyu9AMrwUirNjyKww+gs6YgkbpdLrpd65nKnip0o3tTeNsHorlUMDA OHpPt8MnmhBIa+6/BeLRGSAypTWaTzvZ25XPAB965u+noDb5ImfAg/eTm+CCMkcMAzha fSIQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z3-20020a633303000000b00542d69c5153si6448177pgz.405.2023.07.23.01.23.30; Sun, 23 Jul 2023 01:23:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229809AbjGWHxP (ORCPT + 99 others); Sun, 23 Jul 2023 03:53:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47946 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229468AbjGWHxO (ORCPT ); Sun, 23 Jul 2023 03:53:14 -0400 Received: from zg8tmja2lje4os4yms4ymjma.icoremail.net (zg8tmja2lje4os4yms4ymjma.icoremail.net [206.189.21.223]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 87F02191 for ; Sun, 23 Jul 2023 00:53:12 -0700 (PDT) Received: from localhost.localdomain (unknown [39.174.92.167]) by mail-app3 (Coremail) with SMTP id cC_KCgA3P79J3LxkwFN_Cw--.18699S4; Sun, 23 Jul 2023 15:52:41 +0800 (CST) From: Lin Ma To: jesse.brandeburg@intel.com, anthony.l.nguyen@intel.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, richardcochran@gmail.com, ast@kernel.org, daniel@iogearbox.net, hawk@kernel.org, john.fastabend@gmail.com, intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Lin Ma Subject: [PATCH v1] ice: Add length check for IFLA_AF_SPEC parsing Date: Sun, 23 Jul 2023 15:52:39 +0800 Message-Id: <20230723075239.3710086-1-linma@zju.edu.cn> X-Mailer: git-send-email 2.17.1 X-CM-TRANSID: cC_KCgA3P79J3LxkwFN_Cw--.18699S4 X-Coremail-Antispam: 1UD129KBjvJXoWrZw4DGFy5WFW5Cr4DKr1kAFb_yoW8JF45pa 4Dta4Ivry8Xr4fWayfXa18Zr98Wa9xtr90gF43tws5ZwnYqFn8Jr9FkF909ry8AFWYkF1a yF4UCFyfZasrXFUanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvC14x267AKxVW5JVWrJwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E 2Ix0cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2 Y2ka0xkIwI1lc2xSY4AK67AK6r4xMxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r 1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CE b7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0x vE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAI cVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2Kf nxnUUI43ZEXa7VUbEksDUUUUU== X-CM-SenderInfo: qtrwiiyqvtljo62m3hxhgxhubq/ X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772198951214451063 X-GMAIL-MSGID: 1772198951214451063 The nla_for_each_nested parsing in function ice_bridge_setlink() does not check the length of the nested attribute. This can lead to an out-of-attribute read and allow a malformed nlattr (e.g., length 0) to be viewed as a 2 byte integer. This patch adds the check based on nla_len() just as other code does, see how bnxt_bridge_setlink (drivers/net/ethernet/broadcom/bnxt/bnxt.c) parses IFLA_AF_SPEC: type checking plus length checking. Fixes: b1edc14a3fbf ("ice: Implement ice_bridge_getlink and ice_bridge_setlink") Signed-off-by: Lin Ma --- drivers/net/ethernet/intel/ice/ice_main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c index 19a5e7f3a075..85730075dcb4 100644 --- a/drivers/net/ethernet/intel/ice/ice_main.c +++ b/drivers/net/ethernet/intel/ice/ice_main.c @@ -7701,6 +7701,10 @@ ice_bridge_setlink(struct net_device *dev, struct nlmsghdr *nlh, if (nla_type(attr) != IFLA_BRIDGE_MODE) continue; + + if (nla_len(attr) < sizeof(mode)) + return -EINVAL; + mode = nla_get_u16(attr); if (mode != BRIDGE_MODE_VEPA && mode != BRIDGE_MODE_VEB) return -EINVAL;