Date:   Sat, 17 Dec 2022 14:17:07 -0800
From:   Cong Wang <xiyou.wangcong@...il.com>
To:     netdev@...r.kernel.org
Cc:     Cong Wang <cong.wang@...edance.com>,
        syzbot+4caeae4c7103813598ae@...kaller.appspotmail.com,
        Jun Nie <jun.nie@...aro.org>,
        Jamal Hadi Salim <jhs@...atatu.com>,
        Paolo Abeni <pabeni@...hat.com>
Subject: [Patch net] net_sched: reject TCF_EM_SIMPLE case for complex ematch module

From: Cong Wang <cong.wang@...edance.com>

When TCF_EM_SIMPLE was introduced, it is supposed to be convenient
for ematch implementation:

https://lore.kernel.org/all/20050105110048.GO26856@postel.suug.ch/

"You don't have to, providing a 32bit data chunk without TCF_EM_SIMPLE
set will simply result in allocating & copy. It's an optimization,
nothing more."

So if an ematch module provides ops->datalen that means it wants a
complex data structure (saved in its em->data) instead of a simple u32
value. We should simply reject such a combination, otherwise this u32
could be misinterpreted as a pointer.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+4caeae4c7103813598ae@...kaller.appspotmail.com
Reported-by: Jun Nie <jun.nie@...aro.org>
Cc: Jamal Hadi Salim <jhs@...atatu.com>
Cc: Paolo Abeni <pabeni@...hat.com>
Signed-off-by: Cong Wang <cong.wang@...edance.com>
---
 net/sched/ematch.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/sched/ematch.c b/net/sched/ematch.c
index 4ce681361851..5c1235e6076a 100644
--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -255,6 +255,8 @@ static int tcf_em_validate(struct tcf_proto *tp,
 			 * the value carried.
 			 */
 			if (em_hdr->flags & TCF_EM_SIMPLE) {
+				if (em->ops->datalen > 0)
+					goto errout;
 				if (data_len < sizeof(u32))
 					goto errout;
 				em->data = *(u32 *) data;
-- 
2.34.1

Powered by blists - more mailing lists