From patchwork Sun Dec 24 16:54:13 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lin Ma <linma@zju.edu.cn>
X-Patchwork-Id: 183089
Return-Path: <linux-kernel+bounces-10773-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7301:6f82:b0:100:9c79:88ff with SMTP id tb2csp35517dyb;
        Sun, 24 Dec 2023 08:55:06 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IF2B69THZPAi695R2XuaFbm3iGzlVt2+x2JbkqS2iMAKt0qo9ada0xF6i4sa2+7qE7689ei
X-Received: by 2002:a17:907:596:b0:a26:a1a7:a67d with SMTP id
 vw22-20020a170907059600b00a26a1a7a67dmr1802600ejb.46.1703436905921;
        Sun, 24 Dec 2023 08:55:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1703436905; cv=none;
        d=google.com; s=arc-20160816;
        b=mFHFqwYEveVl2m6yWykcyuqG2emNO7CE2mprdBiQ91ImGqEh0m57E55+CcgeI95FyE
         3NG/35dxOO5sf9C65XAu2MWnQlmaAVuc10SMVfyrH/P1lEWtwSKHtBr7R1WyDJiBMfzi
         H8xcDuA3GhRtP7R0Dzcfy7RSMvXX8kKB7Mir8hyhaaDgzBECCjoSYdDpQd6lVGtknyyo
         cO0sufC/ufIgybE99cGkcF0hUVr9nrarVMWzjNVh80FlNC69XnMtMIXeGbpgi+vq/n8A
         OYEptM8dLan2U0bx9F5TgHgZkEsj4OmUl335CbwBgQUIWtWFipP/QLeq2D2jT0c2WfLA
         R95A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-unsubscribe:list-subscribe:list-id:precedence:message-id:date
         :subject:cc:to:from;
        bh=/Z3Qg6fLNCmLSPiVc3bzJGjW2+t5ieVraWONlMkamqY=;
        fh=KYovjcnz99Uc/wxgCfEKehITcqlb+4FKQ/03gJzLrs4=;
        b=zYh0YBaRpP3f1+hpZZ9vnIAL7/spLZNwvXVWqqVELDj/T5ORfnu4Wjwza6aoKesaw2
         BcWmPxAMrUjniO84JPK+ssPmJ+QAAT8v93hs0hAbYoY1+W8c7FKFK6qtEhwaxySCax3P
         hXTq+xiOBuqz7a2c3u5aYAg7l09wiHmoA31+CeylK88SNHbmqAJF+Vo1xV52fydGA4ci
         /NVz6SK4SLIyDEtJ3nioq7bKp0KF+3AwkQy8McaDSX2yaqhMsjk2KOzhl46K/p+NydIB
         CN2EH6s+1kjwHJpfTBvC29Gz2L/RkQkm52g2aFDfS/Ts5+sGuBi/KCIZLvf5KgM0U+KJ
         WEVA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of
 linux-kernel+bounces-10773-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-10773-ouuuleilei=gmail.com@vger.kernel.org"
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id
 gh15-20020a1709073c0f00b00a26aea0b71csi3011376ejc.245.2023.12.24.08.55.05
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 24 Dec 2023 08:55:05 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-10773-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of
 linux-kernel+bounces-10773-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-10773-ouuuleilei=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 8A9B01F21036
	for <ouuuleilei@gmail.com>; Sun, 24 Dec 2023 16:55:05 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 50F99D292;
	Sun, 24 Dec 2023 16:54:46 +0000 (UTC)
X-Original-To: linux-kernel@vger.kernel.org
Received: from zg8tmtu5ljg5lje1ms4xmtka.icoremail.net
 (zg8tmtu5ljg5lje1ms4xmtka.icoremail.net [159.89.151.119])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id CA8E1CA68;
	Sun, 24 Dec 2023 16:54:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=zju.edu.cn
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=zju.edu.cn
Received: from localhost.localdomain (unknown [39.174.92.167])
	by mail-app4 (Coremail) with SMTP id cS_KCgA3OaRAYohlOrPzAA--.30851S4;
	Mon, 25 Dec 2023 00:54:26 +0800 (CST)
From: Lin Ma <linma@zju.edu.cn>
To: jhs@mojatatu.com,
	xiyou.wangcong@gmail.com,
	jiri@resnulli.us,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: Lin Ma <linma@zju.edu.cn>
Subject: [PATCH net v1] net/sched: cls_api: complement tcf_tfilter_dump_policy
Date: Mon, 25 Dec 2023 00:54:13 +0800
Message-Id: <20231224165413.831486-1-linma@zju.edu.cn>
X-Mailer: git-send-email 2.17.1
X-CM-TRANSID: cS_KCgA3OaRAYohlOrPzAA--.30851S4
X-Coremail-Antispam: 1UD129KBjvJXoW7CFW7Aw1fAr43ZF1UXw17GFg_yoW8WF1xpF
	ZrW348C34DXFyUJws7G3Z7ZF9IgrZxZw4UWrZYk34IvwnxWrnxGayftayak3ZFkF48Arsx
	tF98t3yDWa1DuF7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDU0xBIdaVrnRJUUUv014x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
	rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
	1l84ACjcxK6xIIjxv20xvE14v26F1j6w1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4j
	6r4UJwA2z4x0Y4vEx4A2jsIE14v26r4UJVWxJr1l84ACjcxK6I8E87Iv6xkF7I0E14v26F
	4UJVW0owAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv
	7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r
	1j6r4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwACI402YVCY1x02
	628vn2kIc2xKxwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c
	02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_
	GFylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7
	CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v2
	6r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Jr0_GrUvcSsGvfC2KfnxnUUI43ZEXa7VUb
	XdbUUUUUU==
X-CM-SenderInfo: qtrwiiyqvtljo62m3hxhgxhubq/
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1786183057052507654
X-GMAIL-MSGID: 1786183057052507654

In function `tc_dump_tfilter`, the attributes array is parsed via
tcf_tfilter_dump_policy which only describes TCA_DUMP_FLAGS. However,
the NLA TCA_CHAIN is also accessed with `nla_get_u32`. According to the
commit 5e2424708da7 ("xfrm: add forgotten nla_policy for
XFRMA_MTIMER_THRESH"), such a missing piece could lead to a potential
heap data leak.

The access to TCA_CHAIN is introduced in commit 5bc1701881e3 ("net:
sched: introduce multichain support for filters") and no nla_policy is
provided for parsing at that point. Later on, tcf_tfilter_dump_policy is
introduced in commit f8ab1807a9c9 ("net: sched: introduce terse dump
flag") while still ignoring the fact that TCA_CHAIN needs a check. This
patch does that by complementing the policy.

Note that other functions that access TCA_CHAIN, like tc_new_tfilter,
are not vulnerable as they choose rtm_tca_policy as the parsing policy
which describes the TCA_CHAIN already.

Fixes: 5bc1701881e3 ("net: sched: introduce multichain support for filters")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
---
 net/sched/cls_api.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 1976bd163986..2b5b8eca2ee3 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -2732,6 +2732,7 @@ static bool tcf_chain_dump(struct tcf_chain *chain, struct Qdisc *q, u32 parent,
 }
 
 static const struct nla_policy tcf_tfilter_dump_policy[TCA_MAX + 1] = {
+	[TCA_CHAIN]      = { .type = NLA_U32 },
 	[TCA_DUMP_FLAGS] = NLA_POLICY_BITFIELD32(TCA_DUMP_FLAGS_TERSE),
 };