lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20210112173813.17861ae6@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
Date:   Tue, 12 Jan 2021 17:38:13 -0800
From:   Jakub Kicinski <kuba@...nel.org>
To:     Cong Wang <xiyou.wangcong@...il.com>
Cc:     netdev@...r.kernel.org, Cong Wang <cong.wang@...edance.com>,
        syzbot+2624e3778b18fc497c92@...kaller.appspotmail.com,
        Pieter Jansen van Vuuren 
        <pieter.jansenvanvuuren@...ronome.com>,
        Jamal Hadi Salim <jhs@...atatu.com>,
        Xin Long <lucien.xin@...il.com>, Jiri Pirko <jiri@...nulli.us>
Subject: Re: [Patch net] cls_flower: call nla_ok() before nla_next()

On Mon, 11 Jan 2021 18:55:48 -0800 Cong Wang wrote:
> From: Cong Wang <cong.wang@...edance.com>
> 
> fl_set_enc_opt() simply checks if there are still bytes left to parse,
> but this is not sufficent as syzbot seems to be able to generate
> malformatted netlink messages. nla_ok() is more strict so should be
> used to validate the next nlattr here.
> 
> And nla_validate_nested_deprecated() has less strict check too, it is
> probably too late to switch to the strict version, but we can just
> call nla_ok() too after it.
> 
> Reported-and-tested-by: syzbot+2624e3778b18fc497c92@...kaller.appspotmail.com
> Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
> Fixes: 79b1011cb33d ("net: sched: allow flower to match erspan options")
> Cc: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@...ronome.com>
> Cc: Jamal Hadi Salim <jhs@...atatu.com>
> Cc: Xin Long <lucien.xin@...il.com>
> Cc: Jiri Pirko <jiri@...nulli.us>
> Signed-off-by: Cong Wang <cong.wang@...edance.com>

Thanks for keeping up with the syzbot bugs!

> diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
> index 1319986693fc..e265c443536e 100644
> --- a/net/sched/cls_flower.c
> +++ b/net/sched/cls_flower.c
> @@ -1272,6 +1272,8 @@ static int fl_set_enc_opt(struct nlattr **tb, struct fl_flow_key *key,
>  
>  		nla_opt_msk = nla_data(tb[TCA_FLOWER_KEY_ENC_OPTS_MASK]);
>  		msk_depth = nla_len(tb[TCA_FLOWER_KEY_ENC_OPTS_MASK]);
> +		if (!nla_ok(nla_opt_msk, msk_depth))
> +			return -EINVAL;

Can we just add another call to nla_validate_nested_deprecated() 
here instead of having to worry about each attr individually?
See below..

>  	}
>  
>  	nla_for_each_attr(nla_opt_key, nla_enc_key,
> @@ -1308,7 +1310,7 @@ static int fl_set_enc_opt(struct nlattr **tb, struct fl_flow_key *key,
>  				return -EINVAL;
>  			}
>  
> -			if (msk_depth)
> +			if (nla_ok(nla_opt_msk, msk_depth))
>  				nla_opt_msk = nla_next(nla_opt_msk, &msk_depth);

Should we not error otherwise? if msk_depth && !nla_ok() then the
message is clearly misformatted. If we don't error out we'll keep
reusing the same mask over and over, while the intention of this 
code was to have mask per key AFAICT.

>  			break;
>  		case TCA_FLOWER_KEY_ENC_OPTS_VXLAN:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ