| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 31 Jul 2023 20:13:24 +0800
From: Lin Ma <linma@....edu.cn>
To: davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
fw@...len.de,
yang.lee@...ux.alibaba.com,
jgg@...pe.ca,
markzhang@...dia.com,
phaddad@...dia.com,
yuancan@...wei.com,
linma@....edu.cn,
ohartoov@...dia.com,
chenzhongjin@...wei.com,
aharonl@...dia.com,
leon@...nel.org,
netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-rdma@...r.kernel.org
Subject: [PATCH net v1 2/2] RDMA/nldev: specify the nested length of RDMA_NLDEV_ATTR_STAT_HWCOUNTERS
The nla_for_each_nested parsing in function
nldev_stat_set_counter_dynamic_doit() does not check the length of the
attribute. This can lead to an out-of-attribute read and allow a
malformed nlattr (e.g., length 0) to be viewed as a 4 byte integer.
This patch leverages the newly introduced NLA_POLICY_NESTED_NO_TYPE
which sets the len field in nla_policy and allows the nlmsg_parse in
function nldev_stat_set_doit checks the nested length.
Fixes: 3c3c1f141639 ("RDMA/nldev: Allow optional-counter status configuration through RDMA netlink")
Signed-off-by: Lin Ma <linma@....edu.cn>
---
drivers/infiniband/core/nldev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
index d5d3e4f0de77..c33eacc18d97 100644
--- a/drivers/infiniband/core/nldev.c
+++ b/drivers/infiniband/core/nldev.c
@@ -145,7 +145,7 @@ static const struct nla_policy nldev_policy[RDMA_NLDEV_ATTR_MAX] = {
[RDMA_NLDEV_ATTR_STAT_COUNTER] = { .type = NLA_NESTED },
[RDMA_NLDEV_ATTR_STAT_COUNTER_ENTRY] = { .type = NLA_NESTED },
[RDMA_NLDEV_ATTR_STAT_COUNTER_ID] = { .type = NLA_U32 },
- [RDMA_NLDEV_ATTR_STAT_HWCOUNTERS] = { .type = NLA_NESTED },
+ [RDMA_NLDEV_ATTR_STAT_HWCOUNTERS] = NLA_POLICY_NESTED_NO_TYPE(sizeof(u32)),
[RDMA_NLDEV_ATTR_STAT_HWCOUNTER_ENTRY] = { .type = NLA_NESTED },
[RDMA_NLDEV_ATTR_STAT_HWCOUNTER_ENTRY_NAME] = { .type = NLA_NUL_STRING },
[RDMA_NLDEV_ATTR_STAT_HWCOUNTER_ENTRY_VALUE] = { .type = NLA_U64 },
--
2.17.1
Powered by blists - more mailing lists