From: "Michael S. Tsirkin" <mst@redhat.com>
To: Lin Ma <linma@zju.edu.cn>
Cc: xuanzhuo@linux.alibaba.com, linux-kernel@vger.kernel.org,
virtualization@lists.linux-foundation.org
Subject: Re: [PATCH v1] vdpa: Complement vdpa_nl_policy for nlattr length check
Date: Sun, 23 Jul 2023 05:22:03 -0400 [thread overview]
Message-ID: <20230723050656-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20230723080507.3716924-1-linma@zju.edu.cn>
On Sun, Jul 23, 2023 at 04:05:07PM +0800, Lin Ma wrote:
> The vdpa_nl_policy structure is used to validate the nlattr when parsing
> the incoming nlmsg. It will ensure the attribute being described produces
> a valid nlattr pointer in info->attrs before entering into each handler
> in vdpa_nl_ops.
>
> That is to say, the missing part in vdpa_nl_policy may lead to illegal
> nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.
Hmm.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3773
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
> This patch adds three missing nla_policy to avoid such bugs.
>
> Fixes: 90fea5a800c3 ("vdpa: device feature provisioning")
> Fixes: 13b00b135665 ("vdpa: Add support for querying vendor statistics")
> Fixes: ad69dd0bf26b ("vdpa: Introduce query of device config layout")
> Signed-off-by: Lin Ma <linma@zju.edu.cn>
I don't know how OOB triggers but this duplication is problematic I
think: we are likely to forget again in the future. Isn't there a way
to block everything that is not listed?
> ---
> drivers/vdpa/vdpa.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
> index 965e32529eb8..f2f654fd84e5 100644
> --- a/drivers/vdpa/vdpa.c
> +++ b/drivers/vdpa/vdpa.c
> @@ -1247,8 +1247,11 @@ static const struct nla_policy vdpa_nl_policy[VDPA_ATTR_MAX + 1] = {
> [VDPA_ATTR_MGMTDEV_DEV_NAME] = { .type = NLA_STRING },
> [VDPA_ATTR_DEV_NAME] = { .type = NLA_STRING },
> [VDPA_ATTR_DEV_NET_CFG_MACADDR] = NLA_POLICY_ETH_ADDR,
> + [VDPA_ATTR_DEV_NET_CFG_MAX_VQP] = { .type = NLA_U16 },
> /* virtio spec 1.1 section 5.1.4.1 for valid MTU range */
> [VDPA_ATTR_DEV_NET_CFG_MTU] = NLA_POLICY_MIN(NLA_U16, 68),
> + [VDPA_ATTR_DEV_QUEUE_INDEX] = { .type = NLA_U32 },
> + [VDPA_ATTR_DEV_FEATURES] = { .type = NLA_U64 },
> };
>
> static const struct genl_ops vdpa_nl_ops[] = {
> --
> 2.17.1
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
WARNING: multiple messages have this Message-ID (diff)
From: "Michael S. Tsirkin" <mst@redhat.com>
To: Lin Ma <linma@zju.edu.cn>
Cc: jasowang@redhat.com, xuanzhuo@linux.alibaba.com,
virtualization@lists.linux-foundation.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1] vdpa: Complement vdpa_nl_policy for nlattr length check
Date: Sun, 23 Jul 2023 05:22:03 -0400 [thread overview]
Message-ID: <20230723050656-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20230723080507.3716924-1-linma@zju.edu.cn>
On Sun, Jul 23, 2023 at 04:05:07PM +0800, Lin Ma wrote:
> The vdpa_nl_policy structure is used to validate the nlattr when parsing
> the incoming nlmsg. It will ensure the attribute being described produces
> a valid nlattr pointer in info->attrs before entering into each handler
> in vdpa_nl_ops.
>
> That is to say, the missing part in vdpa_nl_policy may lead to illegal
> nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.
Hmm.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3773
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
> This patch adds three missing nla_policy to avoid such bugs.
>
> Fixes: 90fea5a800c3 ("vdpa: device feature provisioning")
> Fixes: 13b00b135665 ("vdpa: Add support for querying vendor statistics")
> Fixes: ad69dd0bf26b ("vdpa: Introduce query of device config layout")
> Signed-off-by: Lin Ma <linma@zju.edu.cn>
I don't know how OOB triggers but this duplication is problematic I
think: we are likely to forget again in the future. Isn't there a way
to block everything that is not listed?
> ---
> drivers/vdpa/vdpa.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
> index 965e32529eb8..f2f654fd84e5 100644
> --- a/drivers/vdpa/vdpa.c
> +++ b/drivers/vdpa/vdpa.c
> @@ -1247,8 +1247,11 @@ static const struct nla_policy vdpa_nl_policy[VDPA_ATTR_MAX + 1] = {
> [VDPA_ATTR_MGMTDEV_DEV_NAME] = { .type = NLA_STRING },
> [VDPA_ATTR_DEV_NAME] = { .type = NLA_STRING },
> [VDPA_ATTR_DEV_NET_CFG_MACADDR] = NLA_POLICY_ETH_ADDR,
> + [VDPA_ATTR_DEV_NET_CFG_MAX_VQP] = { .type = NLA_U16 },
> /* virtio spec 1.1 section 5.1.4.1 for valid MTU range */
> [VDPA_ATTR_DEV_NET_CFG_MTU] = NLA_POLICY_MIN(NLA_U16, 68),
> + [VDPA_ATTR_DEV_QUEUE_INDEX] = { .type = NLA_U32 },
> + [VDPA_ATTR_DEV_FEATURES] = { .type = NLA_U64 },
> };
>
> static const struct genl_ops vdpa_nl_ops[] = {
> --
> 2.17.1
next prev parent reply other threads:[~2023-07-23 9:22 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-23 8:05 [PATCH v1] vdpa: Complement vdpa_nl_policy for nlattr length check Lin Ma
2023-07-23 9:22 ` Michael S. Tsirkin [this message]
2023-07-23 9:22 ` Michael S. Tsirkin
2023-07-23 9:33 ` Lin Ma
2023-07-23 9:48 ` Lin Ma
2023-07-23 10:02 ` Michael S. Tsirkin
2023-07-23 10:02 ` Michael S. Tsirkin
2023-07-24 7:11 ` Jason Wang
2023-07-24 7:11 ` Jason Wang
2023-07-24 8:38 ` Dragos Tatulea via Virtualization
2023-07-24 8:38 ` Dragos Tatulea
2023-07-24 9:16 ` Michael S. Tsirkin
2023-07-24 9:16 ` Michael S. Tsirkin
2023-07-24 11:42 ` Dragos Tatulea via Virtualization
2023-07-24 11:42 ` Dragos Tatulea
2023-07-24 20:08 ` Michael S. Tsirkin
2023-07-24 20:08 ` Michael S. Tsirkin
2023-07-25 8:26 ` Dragos Tatulea via Virtualization
2023-07-25 8:26 ` Dragos Tatulea
2023-07-26 11:47 ` Michael S. Tsirkin
2023-07-26 11:47 ` Michael S. Tsirkin
2023-07-23 9:55 ` Michael S. Tsirkin
2023-07-23 9:55 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230723050656-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=linma@zju.edu.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=virtualization@lists.linux-foundation.org \
--cc=xuanzhuo@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.