From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Wei Chen <harperchen1110@gmail.com>,
Ido Schimmel <idosch@nvidia.com>,
Alexander Duyck <alexanderduyck@fb.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 67/86] net/sched: act_mpls: Fix warning during failed attribute validation
Date: Mon, 16 Jan 2023 16:51:41 +0100 [thread overview]
Message-ID: <20230116154749.838502770@linuxfoundation.org> (raw)
In-Reply-To: <20230116154747.036911298@linuxfoundation.org>
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 9e17f99220d111ea031b44153fdfe364b0024ff2 ]
The 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a
validation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid
combination according to the comment above 'struct nla_policy':
"
Meaning of `validate' field, use via NLA_POLICY_VALIDATE_FN:
NLA_BINARY Validation function called for the attribute.
All other Unused - but note that it's a union
"
This can trigger the warning [1] in nla_get_range_unsigned() when
validation of the attribute fails. Despite being of 'NLA_U32' type, the
associated 'min'/'max' fields in the policy are negative as they are
aliased by the 'validate' field.
Fix by changing the attribute type to 'NLA_BINARY' which is consistent
with the above comment and all other users of NLA_POLICY_VALIDATE_FN().
As a result, move the length validation to the validation function.
No regressions in MPLS tests:
# ./tdc.py -f tc-tests/actions/mpls.json
[...]
# echo $?
0
[1]
WARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118
nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117
Modules linked in:
CPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117
[...]
Call Trace:
<TASK>
__netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310
netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411
netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]
netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506
netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546
rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
____sys_sendmsg+0x38f/0x500 net/socket.c:2482
___sys_sendmsg net/socket.c:2536 [inline]
__sys_sendmsg+0x197/0x230 net/socket.c:2565
__do_sys_sendmsg net/socket.c:2574 [inline]
__se_sys_sendmsg net/socket.c:2572 [inline]
__x64_sys_sendmsg+0x42/0x50 net/socket.c:2572
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Link: https://lore.kernel.org/netdev/CAO4mrfdmjvRUNbDyP0R03_DrD_eFCLCguz6OxZ2TYRSv0K9gxA@mail.gmail.com/
Fixes: 2a2ea50870ba ("net: sched: add mpls manipulation actions to TC")
Reported-by: Wei Chen <harperchen1110@gmail.com>
Tested-by: Wei Chen <harperchen1110@gmail.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Link: https://lore.kernel.org/r/20230107171004.608436-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_mpls.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/sched/act_mpls.c b/net/sched/act_mpls.c
index e4529b428cf4..db0ef0486309 100644
--- a/net/sched/act_mpls.c
+++ b/net/sched/act_mpls.c
@@ -133,6 +133,11 @@ static int valid_label(const struct nlattr *attr,
{
const u32 *label = nla_data(attr);
+ if (nla_len(attr) != sizeof(*label)) {
+ NL_SET_ERR_MSG_MOD(extack, "Invalid MPLS label length");
+ return -EINVAL;
+ }
+
if (*label & ~MPLS_LABEL_MASK || *label == MPLS_LABEL_IMPLNULL) {
NL_SET_ERR_MSG_MOD(extack, "MPLS label out of range");
return -EINVAL;
@@ -144,7 +149,8 @@ static int valid_label(const struct nlattr *attr,
static const struct nla_policy mpls_policy[TCA_MPLS_MAX + 1] = {
[TCA_MPLS_PARMS] = NLA_POLICY_EXACT_LEN(sizeof(struct tc_mpls)),
[TCA_MPLS_PROTO] = { .type = NLA_U16 },
- [TCA_MPLS_LABEL] = NLA_POLICY_VALIDATE_FN(NLA_U32, valid_label),
+ [TCA_MPLS_LABEL] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
+ valid_label),
[TCA_MPLS_TC] = NLA_POLICY_RANGE(NLA_U8, 0, 7),
[TCA_MPLS_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
[TCA_MPLS_BOS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
--
2.35.1
next prev parent reply other threads:[~2023-01-16 16:05 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-16 15:50 [PATCH 5.15 00/86] 5.15.89-rc1 review Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 01/86] netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 02/86] ALSA: control-led: use strscpy in set_led_id() Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 03/86] ALSA: hda/realtek - Turn on power early Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 04/86] ALSA: hda/realtek: Enable mute/micmute LEDs on HP Spectre x360 13-aw0xxx Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 05/86] KVM: arm64: Fix S1PTW handling on RO memslots Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 06/86] KVM: arm64: nvhe: Fix build with profile optimization Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 07/86] selftests: kvm: Fix a compile error in selftests/kvm/rseq_test.c Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 08/86] efi: tpm: Avoid READ_ONCE() for accessing the event log Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 09/86] docs: Fix the docs build with Sphinx 6.0 Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 10/86] net: stmmac: add aux timestamps fifo clearance wait Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 11/86] perf auxtrace: Fix address filter duplicate symbol selection Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 12/86] s390/kexec: fix ipl report address for kdump Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 13/86] ASoC: qcom: lpass-cpu: Fix fallback SD line index handling Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 14/86] s390/cpum_sf: add READ_ONCE() semantics to compare and swap loops Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 15/86] s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple() Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 16/86] drm/virtio: Fix GEM handle creation UAF Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 17/86] drm/i915/gt: Reset twice Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 18/86] net/mlx5e: Set action fwd flag when parsing tc action goto Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 19/86] cifs: Fix uninitialized memory read for smb311 posix symlink create Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 20/86] platform/x86: dell-privacy: Only register SW_CAMERA_LENS_COVER if present Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 21/86] platform/surface: aggregator: Ignore command messages not intended for us Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 22/86] platform/x86: dell-privacy: Fix SW_CAMERA_LENS_COVER reporting Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 23/86] dt-bindings: msm: dsi-controller-main: Fix operating-points-v2 constraint Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 24/86] drm/msm/adreno: Make adreno quirks not overwrite each other Greg Kroah-Hartman
2023-01-16 15:50 ` [PATCH 5.15 25/86] dt-bindings: msm: dsi-controller-main: Fix power-domain constraint Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 26/86] dt-bindings: msm: dsi-controller-main: Fix description of core clock Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 27/86] dt-bindings: msm: dsi-phy-28nm: Add missing qcom, dsi-phy-regulator-ldo-mode Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 28/86] platform/x86: ideapad-laptop: Add Legion 5 15ARH05 DMI id to set_fn_lock_led_list[] Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 29/86] drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 30/86] dt-bindings: msm/dsi: Dont require vdds-supply on 10nm PHY Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 31/86] dt-bindings: msm/dsi: Dont require vcca-supply on 14nm PHY Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 32/86] platform/x86: sony-laptop: Dont turn off 0x153 keyboard backlight during probe Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 33/86] ixgbe: fix pci device refcount leak Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 34/86] ipv6: raw: Deduct extension header length in rawv6_push_pending_frames Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 35/86] bus: mhi: host: Fix race between channel preparation and M0 event Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 36/86] usb: ulpi: defer ulpi_register on ulpi_read_id timeout Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 37/86] iommu/iova: Fix alloc iova overflows issue Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 38/86] iommu/mediatek-v1: Fix an error handling path in mtk_iommu_v1_probe() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 39/86] sched/core: Fix use-after-free bug in dup_user_cpus_ptr() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 40/86] netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 41/86] powerpc/imc-pmu: Fix use of mutex in IRQs disabled section Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 42/86] x86/boot: Avoid using Intel mnemonics in AT&T syntax asm Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 43/86] EDAC/device: Fix period calculation in edac_device_reset_delay_period() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 44/86] x86/resctrl: Fix task CLOSID/RMID update race Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 45/86] regulator: da9211: Use irq handler when ready Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 46/86] scsi: mpi3mr: Refer CONFIG_SCSI_MPI3MR in Makefile Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 47/86] scsi: ufs: Stop using the clock scaling lock in the error handler Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 48/86] scsi: ufs: core: WLUN suspend SSU/enter hibern8 fail recovery Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 49/86] ASoC: wm8904: fix wrong outputs volume after power reactivation Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 50/86] ALSA: usb-audio: Make sure to stop endpoints before closing EPs Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 51/86] ALSA: usb-audio: Relax hw constraints for implicit fb sync Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 52/86] tipc: fix unexpected link reset due to discovery messages Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 53/86] octeontx2-af: Fix LMAC config in cgx_lmac_rx_tx_enable Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 54/86] hvc/xen: lock console list traversal Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 55/86] nfc: pn533: Wait for out_urbs completion in pn533_usb_send_frame() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 56/86] af_unix: selftest: Fix the size of the parameter to connect() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 57/86] tools/nolibc: x86: Remove `r8`, `r9` and `r10` from the clobber list Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 58/86] tools/nolibc: x86-64: Use `mov $60,%eax` instead of `mov $60,%rax` Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 59/86] tools/nolibc: use pselect6 on RISCV Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 60/86] tools/nolibc/std: move the standard type definitions to std.h Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 61/86] tools/nolibc/types: split syscall-specific definitions into their own files Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 62/86] tools/nolibc/arch: split arch-specific code into individual files Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 63/86] tools/nolibc/arch: mark the _start symbol as weak Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 64/86] tools/nolibc: Remove .global _start from the entry point code Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 65/86] tools/nolibc: restore mips branch ordering in the _start block Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 66/86] tools/nolibc: fix the O_* fcntl/open macro definitions for riscv Greg Kroah-Hartman
2023-01-16 15:51 ` Greg Kroah-Hartman [this message]
2023-01-16 15:51 ` [PATCH 5.15 68/86] net/mlx5: Fix ptp max frequency adjustment range Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 69/86] net/mlx5e: Dont support encap rules with gbp option Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 70/86] perf build: Properly guard libbpf includes Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 71/86] igc: Fix PPS delta between two synchronized end-points Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 72/86] platform/surface: aggregator: Add missing call to ssam_request_sync_free() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 73/86] mm: Always release pages to the buddy allocator in memblock_free_late() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 74/86] Documentation: KVM: add API issues section Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 75/86] KVM: x86: Do not return host topology information from KVM_GET_SUPPORTED_CPUID Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 76/86] io_uring: lock overflowing for IOPOLL Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 77/86] arm64: atomics: format whitespace consistently Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 78/86] arm64: atomics: remove LL/SC trampolines Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 79/86] arm64: cmpxchg_double*: hazard against entire exchange variable Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 80/86] efi: fix NULL-deref in init error path Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 81/86] scsi: mpt3sas: Remove scsi_dma_map() error messages Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 82/86] io_uring/io-wq: free worker if task_work creation is canceled Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 83/86] io_uring/io-wq: only free worker if it was allocated for creation Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 84/86] block: handle bio_split_to_limits() NULL return Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.15 85/86] Revert "usb: ulpi: defer ulpi_register on ulpi_read_id timeout" Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.15 86/86] pinctrl: amd: Add dynamic debugging for active GPIOs Greg Kroah-Hartman
2023-01-16 23:57 ` [PATCH 5.15 00/86] 5.15.89-rc1 review Shuah Khan
2023-01-17 3:59 ` Bagas Sanjaya
2023-01-17 11:13 ` Jon Hunter
2023-01-17 11:27 ` Naresh Kamboju
2023-01-17 14:23 ` Nathan Chancellor
2023-01-17 14:31 ` Greg Kroah-Hartman
2023-01-17 12:41 ` Sudip Mukherjee
2023-01-17 13:19 ` Allen Pais
2023-01-18 1:39 ` Guenter Roeck
2023-01-18 2:55 ` Kelsey Steele
2023-01-18 8:27 ` Ron Economos
2023-01-18 18:10 ` Florian Fainelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230116154749.838502770@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexanderduyck@fb.com \
--cc=harperchen1110@gmail.com \
--cc=idosch@nvidia.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.