| Message ID | 20230723080205.3715164-1-linma@zju.edu.cn (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 55cef78c244d0d076f5a75a35530ca63c92f4426 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [v1] macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF | expand |
+ Herbert Xu On Sun, Jul 23, 2023 at 04:02:05PM +0800, Lin Ma wrote: > The previous commit 954d1fa1ac93 ("macvlan: Add netlink attribute for > broadcast cutoff") added one additional attribute named > IFLA_MACVLAN_BC_CUTOFF to allow broadcast cutfoff. > > However, it forgot to describe the nla_policy at macvlan_policy > (drivers/net/macvlan.c). Hence, this suppose NLA_S32 (4 bytes) integer > can be faked as empty (0 bytes) by a malicious user, which could leads > to OOB in heap just like CVE-2023-3773. > > To fix it, this commit just completes the nla_policy description for > IFLA_MACVLAN_BC_CUTOFF. This enforces the length check and avoids the > potential OOB read. > > Fixes: 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff") > Signed-off-by: Lin Ma <linma@zju.edu.cn> Reviewed-by: Simon Horman <simon.horman@corigine.com> > --- > drivers/net/macvlan.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c > index 4a53debf9d7c..ed908165a8b4 100644 > --- a/drivers/net/macvlan.c > +++ b/drivers/net/macvlan.c > @@ -1746,6 +1746,7 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = { > [IFLA_MACVLAN_MACADDR_COUNT] = { .type = NLA_U32 }, > [IFLA_MACVLAN_BC_QUEUE_LEN] = { .type = NLA_U32 }, > [IFLA_MACVLAN_BC_QUEUE_LEN_USED] = { .type = NLA_REJECT }, > + [IFLA_MACVLAN_BC_CUTOFF] = { .type = NLA_S32 }, > }; > > int macvlan_link_register(struct rtnl_link_ops *ops) > -- > 2.17.1 > >
Hello: This patch was applied to netdev/net.git (main) by Jakub Kicinski <kuba@kernel.org>: On Sun, 23 Jul 2023 16:02:05 +0800 you wrote: > The previous commit 954d1fa1ac93 ("macvlan: Add netlink attribute for > broadcast cutoff") added one additional attribute named > IFLA_MACVLAN_BC_CUTOFF to allow broadcast cutfoff. > > However, it forgot to describe the nla_policy at macvlan_policy > (drivers/net/macvlan.c). Hence, this suppose NLA_S32 (4 bytes) integer > can be faked as empty (0 bytes) by a malicious user, which could leads > to OOB in heap just like CVE-2023-3773. > > [...] Here is the summary with links: - [v1] macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF https://git.kernel.org/netdev/net/c/55cef78c244d You are awesome, thank you!
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c index 4a53debf9d7c..ed908165a8b4 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c @@ -1746,6 +1746,7 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = { [IFLA_MACVLAN_MACADDR_COUNT] = { .type = NLA_U32 }, [IFLA_MACVLAN_BC_QUEUE_LEN] = { .type = NLA_U32 }, [IFLA_MACVLAN_BC_QUEUE_LEN_USED] = { .type = NLA_REJECT }, + [IFLA_MACVLAN_BC_CUTOFF] = { .type = NLA_S32 }, }; int macvlan_link_register(struct rtnl_link_ops *ops)
The previous commit 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff") added one additional attribute named IFLA_MACVLAN_BC_CUTOFF to allow broadcast cutfoff. However, it forgot to describe the nla_policy at macvlan_policy (drivers/net/macvlan.c). Hence, this suppose NLA_S32 (4 bytes) integer can be faked as empty (0 bytes) by a malicious user, which could leads to OOB in heap just like CVE-2023-3773. To fix it, this commit just completes the nla_policy description for IFLA_MACVLAN_BC_CUTOFF. This enforces the length check and avoids the potential OOB read. Fixes: 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff") Signed-off-by: Lin Ma <linma@zju.edu.cn> --- drivers/net/macvlan.c | 1 + 1 file changed, 1 insertion(+)