| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2e8c704f-e6a6-40b8-8d4b-7c3a987c4839@blackwall.org>
Date: Tue, 27 Feb 2024 13:25:35 +0200
From: Nikolay Aleksandrov <razor@...ckwall.org>
To: Lin Ma <linma@....edu.cn>, davem@...emloft.net, edumazet@...gle.com,
kuba@...nel.org, pabeni@...hat.com, idosch@...dia.com, jiri@...nulli.us,
lucien.xin@...il.com, edwin.peer@...adcom.com, amcohen@...dia.com,
pctammela@...atatu.com, liuhangbin@...il.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH net v1] rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS
writing back
On 2/27/24 13:01, Lin Ma wrote:
> In the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks
> IFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logic
> in the function `rtnl_bridge_setlink` to enable the loop to also check
> the length of the IFLA_BRIDGE_MODE attribute. However, this adjustment
> removed the `break` statement and led to an error logic of the flags
> writing back at the end of this function.
>
> if (have_flags)
> memcpy(nla_data(attr), &flags, sizeof(flags));
> // attr should point to IFLA_BRIDGE_FLAGS NLA !!!
>
> Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS.
> However, this is not necessarily true fow now as the updated loop will let
> the attr point to the last NLA, even an invalid NLA which could cause
> overflow writes.
>
> This patch introduces a new variable `br_flag` to save the NLA pointer
> that points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned
> error logic.
>
> Fixes: d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length")
> Signed-off-by: Lin Ma <linma@....edu.cn>
> ---
That fix is obviously broken, I don't know how I missed it back then.
One comment below,
> net/core/rtnetlink.c | 11 +++++------
> 1 file changed, 5 insertions(+), 6 deletions(-)
>
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index 9c4f427f3a50..e9f16e5e3515 100644
> --- a/net/core/rtnetlink.c
> +++ b/net/core/rtnetlink.c
> @@ -5169,10 +5169,9 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
> struct net *net = sock_net(skb->sk);
> struct ifinfomsg *ifm;
> struct net_device *dev;
> - struct nlattr *br_spec, *attr = NULL;
> + struct nlattr *br_spec, *attr, *br_flag = NULL;
Please name the variable to something that describes it better, like
br_flags_attr.
> int rem, err = -EOPNOTSUPP;
> u16 flags = 0;
> - bool have_flags = false;
>
> if (nlmsg_len(nlh) < sizeof(*ifm))
> return -EINVAL;
> @@ -5190,11 +5189,11 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
> br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC);
> if (br_spec) {
> nla_for_each_nested(attr, br_spec, rem) {
> - if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !have_flags) {
> + if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !br_flag) {
> if (nla_len(attr) < sizeof(flags))
> return -EINVAL;
>
> - have_flags = true;
> + br_flag = attr;
> flags = nla_get_u16(attr);
> }
>
> @@ -5238,8 +5237,8 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
> }
> }
>
> - if (have_flags)
> - memcpy(nla_data(attr), &flags, sizeof(flags));
> + if (br_flag)
> + memcpy(nla_data(br_flag), &flags, sizeof(flags));
> out:
> return err;
> }
Powered by blists - more mailing lists