diff mbox series

[net] net_sched: reject TCF_EM_SIMPLE case for complex ematch module

Message ID 20221217221707.46010-1-xiyou.wangcong@gmail.com (mailing list archive)
State Accepted
Commit 9cd3fd2054c3b3055163accbf2f31a4426f10317
Delegated to: Netdev Maintainers
Headers show
Series [net] net_sched: reject TCF_EM_SIMPLE case for complex ematch module | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 2 this patch: 2
netdev/cc_maintainers warning 4 maintainers not CCed: edumazet@google.com davem@davemloft.net jiri@resnulli.us kuba@kernel.org
netdev/build_clang success Errors and warnings before: 1 this patch: 1
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 2 this patch: 2
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Cong Wang Dec. 17, 2022, 10:17 p.m. UTC 
From: Cong Wang <cong.wang@bytedance.com>

When TCF_EM_SIMPLE was introduced, it is supposed to be convenient
for ematch implementation:

https://lore.kernel.org/all/20050105110048.GO26856@postel.suug.ch/

"You don't have to, providing a 32bit data chunk without TCF_EM_SIMPLE
set will simply result in allocating & copy. It's an optimization,
nothing more."

So if an ematch module provides ops->datalen that means it wants a
complex data structure (saved in its em->data) instead of a simple u32
value. We should simply reject such a combination, otherwise this u32
could be misinterpreted as a pointer.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+4caeae4c7103813598ae@syzkaller.appspotmail.com
Reported-by: Jun Nie <jun.nie@linaro.org>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
---
 net/sched/ematch.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Paolo Abeni Dec. 19, 2022, 8:16 a.m. UTC | #1 
Hello,

On Sat, 2022-12-17 at 14:17 -0800, Cong Wang wrote:
> From: Cong Wang <cong.wang@bytedance.com>
> 
> When TCF_EM_SIMPLE was introduced, it is supposed to be convenient
> for ematch implementation:
> 
> https://lore.kernel.org/all/20050105110048.GO26856@postel.suug.ch/
> 
> "You don't have to, providing a 32bit data chunk without TCF_EM_SIMPLE
> set will simply result in allocating & copy. It's an optimization,
> nothing more."
> 
> So if an ematch module provides ops->datalen that means it wants a
> complex data structure (saved in its em->data) instead of a simple u32
> value. We should simply reject such a combination, otherwise this u32
> could be misinterpreted as a pointer.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-and-tested-by: syzbot+4caeae4c7103813598ae@syzkaller.appspotmail.com
> Reported-by: Jun Nie <jun.nie@linaro.org>
> Cc: Jamal Hadi Salim <jhs@mojatatu.com>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> ---
>  net/sched/ematch.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/sched/ematch.c b/net/sched/ematch.c
> index 4ce681361851..5c1235e6076a 100644
> --- a/net/sched/ematch.c
> +++ b/net/sched/ematch.c
> @@ -255,6 +255,8 @@ static int tcf_em_validate(struct tcf_proto *tp,
>  			 * the value carried.
>  			 */
>  			if (em_hdr->flags & TCF_EM_SIMPLE) {
> +				if (em->ops->datalen > 0)
> +					goto errout;
>  				if (data_len < sizeof(u32))
>  					goto errout;
>  				em->data = *(u32 *) data;


The patch LGTM, thanks!

Acked-by: Paolo Abeni <pabeni@redhat.com>

If I read correctly, this effectively rejects any ematch with
TCF_EM_SIMPLE set (all the existing tcf_ematch_ops structs have eiter
.change or . datalen > 0).

It looks like EM_SIMPLE does not work as intended since a lot of time
(possibly since its introduction !?!). Can we drop it completely?

Cheers,

Paolo
patchwork-bot+netdevbpf@kernel.org Dec. 19, 2022, 9:50 a.m. UTC | #2 
Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Sat, 17 Dec 2022 14:17:07 -0800 you wrote:
> From: Cong Wang <cong.wang@bytedance.com>
> 
> When TCF_EM_SIMPLE was introduced, it is supposed to be convenient
> for ematch implementation:
> 
> https://lore.kernel.org/all/20050105110048.GO26856@postel.suug.ch/
> 
> [...]

Here is the summary with links:
  - [net] net_sched: reject TCF_EM_SIMPLE case for complex ematch module
    https://git.kernel.org/netdev/net/c/9cd3fd2054c3

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/sched/ematch.c b/net/sched/ematch.c
index 4ce681361851..5c1235e6076a 100644
--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -255,6 +255,8 @@  static int tcf_em_validate(struct tcf_proto *tp,
 			 * the value carried.
 			 */
 			if (em_hdr->flags & TCF_EM_SIMPLE) {
+				if (em->ops->datalen > 0)
+					goto errout;
 				if (data_len < sizeof(u32))
 					goto errout;
 				em->data = *(u32 *) data;