[v1] ice: Add length check for IFLA_AF_SPEC parsing

Message ID	20230723075239.3710086-1-linma@zju.edu.cn (mailing list archive)
State	Changes Requested
Delegated to:	Netdev Maintainers
Headers	show Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E730DEBD for <netdev@vger.kernel.org>; Sun, 23 Jul 2023 07:53:08 +0000 (UTC) From: Lin Ma <linma@zju.edu.cn> To: jesse.brandeburg@intel.com, anthony.l.nguyen@intel.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, richardcochran@gmail.com, ast@kernel.org, daniel@iogearbox.net, hawk@kernel.org, john.fastabend@gmail.com, intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Lin Ma <linma@zju.edu.cn> Subject: [PATCH v1] ice: Add length check for IFLA_AF_SPEC parsing Date: Sun, 23 Jul 2023 15:52:39 +0800 Message-Id: <20230723075239.3710086-1-linma@zju.edu.cn> Precedence: bulk
Series	[v1] ice: Add length check for IFLA_AF_SPEC parsing \| expand [v1] ice: Add length check for IFLA_AF_SPEC parsing

Message ID

20230723075239.3710086-1-linma@zju.edu.cn (mailing list archive)

State

Changes Requested

Delegated to:

Netdev Maintainers

Headers

From: Lin Ma <linma@zju.edu.cn>
To: jesse.brandeburg@intel.com,
	anthony.l.nguyen@intel.com,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	richardcochran@gmail.com,
	ast@kernel.org,
	daniel@iogearbox.net,
	hawk@kernel.org,
	john.fastabend@gmail.com,
	intel-wired-lan@lists.osuosl.org,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: Lin Ma <linma@zju.edu.cn>
Subject: [PATCH v1] ice: Add length check for IFLA_AF_SPEC parsing
Date: Sun, 23 Jul 2023 15:52:39 +0800
Message-Id: <20230723075239.3710086-1-linma@zju.edu.cn>
Precedence: bulk

Series

[v1] ice: Add length check for IFLA_AF_SPEC parsing | expand

Context	Check	Description
netdev/series_format	warning	Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 1342 this patch: 1342
netdev/cc_maintainers	fail	2 blamed authors not CCed: anirudh.venkataramanan@intel.com md.fahad.iqbal.polash@intel.com; 2 maintainers not CCed: anirudh.venkataramanan@intel.com md.fahad.iqbal.polash@intel.com
netdev/build_clang	success	Errors and warnings before: 1365 this patch: 1365
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 1365 this patch: 1365
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 10 lines checked
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Context

Check

Description

netdev/series_format

warning

Single patches do not need cover letters; Target tree name not specified in the subject

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 1342 this patch: 1342

netdev/cc_maintainers

fail

2 blamed authors not CCed: anirudh.venkataramanan@intel.com md.fahad.iqbal.polash@intel.com; 2 maintainers not CCed: anirudh.venkataramanan@intel.com md.fahad.iqbal.polash@intel.com

netdev/build_clang

success

Errors and warnings before: 1365 this patch: 1365

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 1365 this patch: 1365

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 10 lines checked

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

Commit Message

Lin Ma July 23, 2023, 7:52 a.m. UTC

The nla_for_each_nested parsing in function ice_bridge_setlink() does
not check the length of the nested attribute. This can lead to an
out-of-attribute read and allow a malformed nlattr (e.g., length 0) to
be viewed as a 2 byte integer.

This patch adds the check based on nla_len() just as other code does,
see how bnxt_bridge_setlink (drivers/net/ethernet/broadcom/bnxt/bnxt.c)
parses IFLA_AF_SPEC: type checking plus length checking.

Fixes: b1edc14a3fbf ("ice: Implement ice_bridge_getlink and ice_bridge_setlink")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
---
 drivers/net/ethernet/intel/ice/ice_main.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
index 19a5e7f3a075..85730075dcb4 100644
--- a/drivers/net/ethernet/intel/ice/ice_main.c
+++ b/drivers/net/ethernet/intel/ice/ice_main.c
@@ -7701,6 +7701,10 @@  ice_bridge_setlink(struct net_device *dev, struct nlmsghdr *nlh,
 
 		if (nla_type(attr) != IFLA_BRIDGE_MODE)
 			continue;
+
+		if (nla_len(attr) < sizeof(mode))
+			return -EINVAL;
+
 		mode = nla_get_u16(attr);
 		if (mode != BRIDGE_MODE_VEPA && mode != BRIDGE_MODE_VEB)
 			return -EINVAL;

[v1] ice: Add length check for IFLA_AF_SPEC parsing

Checks

Commit Message

Patch