lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANn89i+UNcG0PJMW5X7gOMunF38ryMh=L1aeZUKH3kL4UdUqag@mail.gmail.com>
Date: Sat, 9 Mar 2024 16:02:35 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: Petr Machata <petrm@...dia.com>
Cc: "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, 
	Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org, 
	Ido Schimmel <idosch@...dia.com>, David Ahern <dsahern@...nel.org>, Simon Horman <horms@...nel.org>, 
	mlxsw@...dia.com
Subject: Re: [PATCH net-next v4 1/7] net: nexthop: Adjust netlink policy
 parsing for a new attribute

On Wed, Mar 6, 2024 at 1:50 PM Petr Machata <petrm@...dia.com> wrote:
>
> A following patch will introduce a new attribute, op-specific flags to
> adjust the behavior of an operation. Different operations will recognize
> different flags.
>
> - To make the differentiation possible, stop sharing the policies for get
>   and del operations.
>
> - To allow querying for presence of the attribute, have all the attribute
>   arrays sized to NHA_MAX, regardless of what is permitted by policy, and
>   pass the corresponding value to nlmsg_parse() as well.
>
> Signed-off-by: Petr Machata <petrm@...dia.com>
> Reviewed-by: David Ahern <dsahern@...nel.org>
> Reviewed-by: Ido Schimmel <idosch@...dia.com>
> ---
>  net/ipv4/nexthop.c | 58 ++++++++++++++++++++++------------------------
>  1 file changed, 28 insertions(+), 30 deletions(-)
>
> diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
> index 70509da4f080..bcd4df2f1cad 100644
> --- a/net/ipv4/nexthop.c
> +++ b/net/ipv4/nexthop.c
> @@ -43,6 +43,10 @@ static const struct nla_policy rtm_nh_policy_get[] = {
>         [NHA_ID]                = { .type = NLA_U32 },
>  };
>
> +static const struct nla_policy rtm_nh_policy_del[] = {
> +       [NHA_ID]                = { .type = NLA_U32 },
> +};

Bogus repeated pattern in this patch.

rtm_nh_policy_del[] has only NHA_ID entry defined.

So the array size is small.

> +
>  static const struct nla_policy rtm_nh_policy_dump[] = {
>         [NHA_OIF]               = { .type = NLA_U32 },
>         [NHA_GROUPS]            = { .type = NLA_FLAG },
> @@ -2966,9 +2970,9 @@ static int rtm_new_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
>         return err;
>  }
>
>

...

> -
>  /* rtnl */
>  static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
>                            struct netlink_ext_ack *extack)
>  {
>         struct net *net = sock_net(skb->sk);
> +       struct nlattr *tb[NHA_MAX + 1];

big tb[] array, but small rtm_nh_policy_del[] policy.

>         struct nl_info nlinfo = {
>                 .nlh = nlh,
>                 .nl_net = net,
> @@ -3020,7 +3010,12 @@ static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
>         int err;
>         u32 id;
>
> -       err = nh_valid_get_del_req(nlh, &id, extack);
> +       err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb, NHA_MAX,

But here you pass NHA_MAX...

> +                         rtm_nh_policy_del, extack);
> +       if (err < 0)
> +               return err;

So  we hit :

kernel BUG at lib/nlattr.c:411 !
invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 PID: 14369 Comm: syz-executor.2 Not tainted
6.8.0-rc7-syzkaller-02415-g2f901582f032 #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 02/29/2024
RIP: 0010:validate_nla lib/nlattr.c:411 [inline]
RIP: 0010:__nla_validate_parse+0x2f61/0x2f70 lib/nlattr.c:635
Code: 48 8b 4c 24 18 80 e1 07 38 c1 0f 8c e0 f7 ff ff 48 8b 7c 24 18
e8 ff 0e 1d fd e9 d1 f7 ff ff e8 d5 c2 91 06 e8 50 64 ba fc 90 <0f> 0b
66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90 90 90 90 90 90 90
RSP: 0018:ffffc90003c1eec0 EFLAGS: 00010287
RAX: ffffffff84d90ad0 RBX: ffffffff8caa11b0 RCX: 0000000000040000
RDX: ffffc9000499a000 RSI: 000000000000065e RDI: 000000000000065f
RBP: ffffc90003c1f100 R08: ffffffff84d8df5b R09: 0000000000000000
R10: ffffc90003c1f1a0 R11: fffff52000783e46 R12: 0000000000000008
R13: 1ffff1100f9c4183 R14: 000000000000006e R15: 0000000000000005
FS: 00007f5fe2d916c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000440 CR3: 00000000229a2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__nla_parse+0x40/0x60 lib/nlattr.c:732
__nlmsg_parse include/net/netlink.h:756 [inline]
nlmsg_parse include/net/netlink.h:777 [inline]
rtm_del_nexthop+0x257/0x6d0 net/ipv4/nexthop.c:3256
rtnetlink_rcv_msg+0x89b/0x10d0 net/core/rtnetlink.c:6595
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2556
netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1361
netlink_sendmsg+0x8e0/0xcb0 net/netlink/af_netlink.c:1902
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f5fe207dda9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5fe2d910c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f5fe21abf80 RCX: 00007f5fe207dda9
RDX: 0000000000000000 RSI: 0000000020000440 RDI: 0000000000000003
RBP: 00007f5fe20ca47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f5fe21abf80 R15: 00007fff7d5a1278

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ