lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 23 Jul 2023 18:41:52 -0300
From: Victor Nogueira <victor@...atatu.com>
To: Lin Ma <linma@....edu.cn>, jhs@...atatu.com, xiyou.wangcong@...il.com,
 jiri@...nulli.us, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
 pabeni@...hat.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1] net/sched: mqprio: Add length check for
 TCA_MQPRIO_{MAX/MIN}_RATE64

On 23/07/2023 04:56, Lin Ma wrote:
> The nla_for_each_nested parsing in function mqprio_parse_nlattr() does
> not check the length of the nested attribute. This can lead to an
> out-of-attribute read and allow a malformed nlattr (e.g., length 0) to
> be viewed as 8 byte integer and passed to priv->max_rate/min_rate.
> 
> This patch adds the check based on nla_len() when check the nla_type(),
> which ensures that the attribute has enough length.
> 
> Fixes: 4e8b86c06269 ("mqprio: Introduce new hardware offload mode and shaper in mqprio")
> Signed-off-by: Lin Ma <linma@....edu.cn>
> ---
>   net/sched/sch_mqprio.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c
> index ab69ff7577fc..7bd1d261d8e7 100644
> --- a/net/sched/sch_mqprio.c
> +++ b/net/sched/sch_mqprio.c
> @@ -285,7 +285,8 @@ static int mqprio_parse_nlattr(struct Qdisc *sch, struct tc_mqprio_qopt *qopt,
>   		i = 0;
>   		nla_for_each_nested(attr, tb[TCA_MQPRIO_MIN_RATE64],
>   				    rem) {
> -			if (nla_type(attr) != TCA_MQPRIO_MIN_RATE64) {
> +			if (nla_type(attr) != TCA_MQPRIO_MIN_RATE64 ||
> +			    nla_len(attr) < sizeof(u64)) {

Shouldn't the check be nla_len(attr) != sizeof(u64)?
An attribute with a bigger length also seems to be invalid.

You could also separate this check into another if statement,
so that the error message is clearer in regards to why the attr is
invalid. Something like:

if (nla_len(attr) != sizeof(u64)) {
         NL_SET_ERR_MSG_ATTR_FMT(extack, attr,
                                 "Attribute length expected to be %lu",
                                 sizeof(u64));
         return -EINVAL;
}

>   				NL_SET_ERR_MSG_ATTR(extack, attr,
>   						    "Attribute type expected to be TCA_MQPRIO_MIN_RATE64");
>   				return -EINVAL;
> @@ -307,7 +308,8 @@ static int mqprio_parse_nlattr(struct Qdisc *sch, struct tc_mqprio_qopt *qopt,
>   		i = 0;
>   		nla_for_each_nested(attr, tb[TCA_MQPRIO_MAX_RATE64],
>   				    rem) {
> -			if (nla_type(attr) != TCA_MQPRIO_MAX_RATE64) {
> +			if (nla_type(attr) != TCA_MQPRIO_MAX_RATE64 ||
> +			    nla_len(attr) < sizeof(u64)) {

Same as the previous comment.

>   				NL_SET_ERR_MSG_ATTR(extack, attr,
>   						    "Attribute type expected to be TCA_MQPRIO_MAX_RATE64");
>   				return -EINVAL;

cheers,
Victor

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ