diff mbox series

[v1] bpf: Add length check for SK_DIAG_BPF_STORAGE_REQ_MAP_FD parsing

Message ID 20230723075452.3711158-1-linma@zju.edu.cn (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series [v1] bpf: Add length check for SK_DIAG_BPF_STORAGE_REQ_MAP_FD parsing | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1347 this patch: 1347
netdev/cc_maintainers fail 1 blamed authors not CCed: songliubraving@fb.com; 1 maintainers not CCed: songliubraving@fb.com
netdev/build_clang success Errors and warnings before: 1365 this patch: 1365
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 1370 this patch: 1370
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 11 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-next-PR success PR summary
bpf/vmtest-bpf-next-VM_Test-1 success Logs for ${{ matrix.test }} on ${{ matrix.arch }} with ${{ matrix.toolchain_full }}
bpf/vmtest-bpf-next-VM_Test-2 success Logs for ShellCheck
bpf/vmtest-bpf-next-VM_Test-3 success Logs for build for aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-4 fail Logs for build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-5 success Logs for build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-6 success Logs for build for x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-7 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-8 success Logs for veristat

Commit Message

Lin Ma July 23, 2023, 7:54 a.m. UTC 
The nla_for_each_nested parsing in function bpf_sk_storage_diag_alloc
does not check the length of the nested attribute. This can lead to an
out-of-attribute read and allow a malformed nlattr (e.g., length 0) to
be viewed as a 4 byte integer.

This patch adds additional check before the execution of nla_get_u32 to
make sure the attribute has enough length.

Fixes: 1ed4d92458a9 ("bpf: INET_DIAG support in bpf_sk_storage")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
---
 net/core/bpf_sk_storage.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Jakub Kicinski July 24, 2023, 10:15 p.m. UTC | #1 
On Sun, 23 Jul 2023 15:54:52 +0800 Lin Ma wrote:
> diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c
> index d4172534dfa8..6f1afbb394a6 100644
> --- a/net/core/bpf_sk_storage.c
> +++ b/net/core/bpf_sk_storage.c
> @@ -511,6 +511,11 @@ bpf_sk_storage_diag_alloc(const struct nlattr *nla_stgs)
>  		if (nla_type(nla) != SK_DIAG_BPF_STORAGE_REQ_MAP_FD)
>  			continue;
>  
> +		if (nla_len(nla) < sizeof(map_fd)) {
> +			err = -EINVAL;
> +			goto err_free;
> +		}

You can move this check earlier, when the attributes are getting
counted. That way we can avoid the alloc/free on error.
Lin Ma July 25, 2023, 12:12 a.m. UTC | #2 
Hi Jakub,

> 
> You can move this check earlier, when the attributes are getting
> counted. That way we can avoid the alloc/free on error.

Good point, will fix that and prepare another patch

Thanks
Lin
diff mbox series

Patch

diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c
index d4172534dfa8..6f1afbb394a6 100644
--- a/net/core/bpf_sk_storage.c
+++ b/net/core/bpf_sk_storage.c
@@ -511,6 +511,11 @@  bpf_sk_storage_diag_alloc(const struct nlattr *nla_stgs)
 		if (nla_type(nla) != SK_DIAG_BPF_STORAGE_REQ_MAP_FD)
 			continue;
 
+		if (nla_len(nla) < sizeof(map_fd)) {
+			err = -EINVAL;
+			goto err_free;
+		}
+
 		map_fd = nla_get_u32(nla);
 		map = bpf_map_get(map_fd);
 		if (IS_ERR(map)) {