From patchwork Sun Dec 24 16:54:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lin Ma X-Patchwork-Id: 183089 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:6f82:b0:100:9c79:88ff with SMTP id tb2csp35517dyb; Sun, 24 Dec 2023 08:55:06 -0800 (PST) X-Google-Smtp-Source: AGHT+IF2B69THZPAi695R2XuaFbm3iGzlVt2+x2JbkqS2iMAKt0qo9ada0xF6i4sa2+7qE7689ei X-Received: by 2002:a17:907:596:b0:a26:a1a7:a67d with SMTP id vw22-20020a170907059600b00a26a1a7a67dmr1802600ejb.46.1703436905921; Sun, 24 Dec 2023 08:55:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703436905; cv=none; d=google.com; s=arc-20160816; b=mFHFqwYEveVl2m6yWykcyuqG2emNO7CE2mprdBiQ91ImGqEh0m57E55+CcgeI95FyE 3NG/35dxOO5sf9C65XAu2MWnQlmaAVuc10SMVfyrH/P1lEWtwSKHtBr7R1WyDJiBMfzi H8xcDuA3GhRtP7R0Dzcfy7RSMvXX8kKB7Mir8hyhaaDgzBECCjoSYdDpQd6lVGtknyyo cO0sufC/ufIgybE99cGkcF0hUVr9nrarVMWzjNVh80FlNC69XnMtMIXeGbpgi+vq/n8A OYEptM8dLan2U0bx9F5TgHgZkEsj4OmUl335CbwBgQUIWtWFipP/QLeq2D2jT0c2WfLA R95A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-id:precedence:message-id:date :subject:cc:to:from; bh=/Z3Qg6fLNCmLSPiVc3bzJGjW2+t5ieVraWONlMkamqY=; fh=KYovjcnz99Uc/wxgCfEKehITcqlb+4FKQ/03gJzLrs4=; b=zYh0YBaRpP3f1+hpZZ9vnIAL7/spLZNwvXVWqqVELDj/T5ORfnu4Wjwza6aoKesaw2 BcWmPxAMrUjniO84JPK+ssPmJ+QAAT8v93hs0hAbYoY1+W8c7FKFK6qtEhwaxySCax3P hXTq+xiOBuqz7a2c3u5aYAg7l09wiHmoA31+CeylK88SNHbmqAJF+Vo1xV52fydGA4ci /NVz6SK4SLIyDEtJ3nioq7bKp0KF+3AwkQy8McaDSX2yaqhMsjk2KOzhl46K/p+NydIB CN2EH6s+1kjwHJpfTBvC29Gz2L/RkQkm52g2aFDfS/Ts5+sGuBi/KCIZLvf5KgM0U+KJ WEVA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-10773-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-10773-ouuuleilei=gmail.com@vger.kernel.org" Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id gh15-20020a1709073c0f00b00a26aea0b71csi3011376ejc.245.2023.12.24.08.55.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 24 Dec 2023 08:55:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-10773-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-10773-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-10773-ouuuleilei=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 8A9B01F21036 for ; Sun, 24 Dec 2023 16:55:05 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 50F99D292; Sun, 24 Dec 2023 16:54:46 +0000 (UTC) X-Original-To: linux-kernel@vger.kernel.org Received: from zg8tmtu5ljg5lje1ms4xmtka.icoremail.net (zg8tmtu5ljg5lje1ms4xmtka.icoremail.net [159.89.151.119]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CA8E1CA68; Sun, 24 Dec 2023 16:54:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zju.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=zju.edu.cn Received: from localhost.localdomain (unknown [39.174.92.167]) by mail-app4 (Coremail) with SMTP id cS_KCgA3OaRAYohlOrPzAA--.30851S4; Mon, 25 Dec 2023 00:54:26 +0800 (CST) From: Lin Ma To: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Lin Ma Subject: [PATCH net v1] net/sched: cls_api: complement tcf_tfilter_dump_policy Date: Mon, 25 Dec 2023 00:54:13 +0800 Message-Id: <20231224165413.831486-1-linma@zju.edu.cn> X-Mailer: git-send-email 2.17.1 X-CM-TRANSID: cS_KCgA3OaRAYohlOrPzAA--.30851S4 X-Coremail-Antispam: 1UD129KBjvJXoW7CFW7Aw1fAr43ZF1UXw17GFg_yoW8WF1xpF ZrW348C34DXFyUJws7G3Z7ZF9IgrZxZw4UWrZYk34IvwnxWrnxGayftayak3ZFkF48Arsx tF98t3yDWa1DuF7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUv014x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26F1j6w1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4j 6r4UJwA2z4x0Y4vEx4A2jsIE14v26r4UJVWxJr1l84ACjcxK6I8E87Iv6xkF7I0E14v26F 4UJVW0owAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv 7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r 1j6r4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwACI402YVCY1x02 628vn2kIc2xKxwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c 02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_ GFylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7 CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v2 6r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Jr0_GrUvcSsGvfC2KfnxnUUI43ZEXa7VUb XdbUUUUUU== X-CM-SenderInfo: qtrwiiyqvtljo62m3hxhgxhubq/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1786183057052507654 X-GMAIL-MSGID: 1786183057052507654 In function `tc_dump_tfilter`, the attributes array is parsed via tcf_tfilter_dump_policy which only describes TCA_DUMP_FLAGS. However, the NLA TCA_CHAIN is also accessed with `nla_get_u32`. According to the commit 5e2424708da7 ("xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH"), such a missing piece could lead to a potential heap data leak. The access to TCA_CHAIN is introduced in commit 5bc1701881e3 ("net: sched: introduce multichain support for filters") and no nla_policy is provided for parsing at that point. Later on, tcf_tfilter_dump_policy is introduced in commit f8ab1807a9c9 ("net: sched: introduce terse dump flag") while still ignoring the fact that TCA_CHAIN needs a check. This patch does that by complementing the policy. Note that other functions that access TCA_CHAIN, like tc_new_tfilter, are not vulnerable as they choose rtm_tca_policy as the parsing policy which describes the TCA_CHAIN already. Fixes: 5bc1701881e3 ("net: sched: introduce multichain support for filters") Signed-off-by: Lin Ma --- net/sched/cls_api.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index 1976bd163986..2b5b8eca2ee3 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -2732,6 +2732,7 @@ static bool tcf_chain_dump(struct tcf_chain *chain, struct Qdisc *q, u32 parent, } static const struct nla_policy tcf_tfilter_dump_policy[TCA_MAX + 1] = { + [TCA_CHAIN] = { .type = NLA_U32 }, [TCA_DUMP_FLAGS] = NLA_POLICY_BITFIELD32(TCA_DUMP_FLAGS_TERSE), };