[PATCH net] net: 802: enforce underlying device type for GARP and MRP

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Oscar Maes <oscmaes92@gmail.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
	pabeni@redhat.com, horms@kernel.org, viro@zeniv.linux.org.uk,
	jiri@resnulli.us, linux-kernel@vger.kernel.org,
	security@kernel.org, Oscar Maes <oscmaes92@gmail.com>,
	syzbot <syzbot+91161fe81857b396c8a0@syzkaller.appspotmail.com>
Subject: [PATCH net] net: 802: enforce underlying device type for GARP and MRP
Date: Wed, 12 Feb 2025 12:32:18 +0100	[thread overview]
Message-ID: <20250212113218.9859-1-oscmaes92@gmail.com> (raw)

When creating a VLAN device, we initialize GARP (garp_init_applicant)
and MRP (mrp_init_applicant) for the underlying device.

As part of the initialization process, we add the multicast address of
each applicant to the underlying device, by calling dev_mc_add.

__dev_mc_add uses dev->addr_len to determine the length of the new
multicast address.

This causes an out-of-bounds read if dev->addr_len is greater than 6,
since the multicast addresses provided by GARP and MRP are only 6 bytes
long.

This behaviour can be reproduced using the following commands:

ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo
ip l set up dev gretest
ip link add link gretest name vlantest type vlan id 100

Then, the following command will display the address of garp_pdu_rcv:

ip maddr show | grep 01:80:c2:00:00:21

Fix this by enforcing the type and address length of
the underlying device during GARP and MRP initialization.

Fixes: 22bedad3ce11 ("net: convert multicast list to list_head")
Reported-by: syzbot <syzbot+91161fe81857b396c8a0@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/netdev/000000000000ca9a81061a01ec20@google.com/
Signed-off-by: Oscar Maes <oscmaes92@gmail.com>
---
 net/802/garp.c | 5 +++++
 net/802/mrp.c  | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/net/802/garp.c b/net/802/garp.c
index 27f0ab146..2f383ee73 100644
--- a/net/802/garp.c
+++ b/net/802/garp.c
@@ -9,6 +9,7 @@
 #include <linux/skbuff.h>
 #include <linux/netdevice.h>
 #include <linux/etherdevice.h>
+#include <linux/if_arp.h>
 #include <linux/rtnetlink.h>
 #include <linux/llc.h>
 #include <linux/slab.h>
@@ -574,6 +575,10 @@ int garp_init_applicant(struct net_device *dev, struct garp_application *appl)
 
 	ASSERT_RTNL();
 
+	err = -EINVAL;
+	if (dev->type != ARPHRD_ETHER || dev->addr_len != ETH_ALEN)
+		goto err1;
+
 	if (!rtnl_dereference(dev->garp_port)) {
 		err = garp_init_port(dev);
 		if (err < 0)
diff --git a/net/802/mrp.c b/net/802/mrp.c
index e0c96d0da..1efee0b39 100644
--- a/net/802/mrp.c
+++ b/net/802/mrp.c
@@ -12,6 +12,7 @@
 #include <linux/skbuff.h>
 #include <linux/netdevice.h>
 #include <linux/etherdevice.h>
+#include <linux/if_arp.h>
 #include <linux/rtnetlink.h>
 #include <linux/slab.h>
 #include <linux/module.h>
@@ -859,6 +860,10 @@ int mrp_init_applicant(struct net_device *dev, struct mrp_application *appl)
 
 	ASSERT_RTNL();
 
+	err = -EINVAL;
+	if (dev->type != ARPHRD_ETHER || dev->addr_len != ETH_ALEN)
+		goto err1;
+
 	if (!rtnl_dereference(dev->mrp_port)) {
 		err = mrp_init_port(dev);
 		if (err < 0)
-- 
2.39.5

next             reply	other threads:[~2025-02-12 11:34 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-12 11:32 Oscar Maes [this message]
2025-02-12 12:36 ` [PATCH net] net: 802: enforce underlying device type for GARP and MRP Greg KH
2025-02-12 14:29 ` Ido Schimmel
2025-02-25 14:11   ` Oscar Maes
2025-02-25 19:39     ` Ido Schimmel

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:27f0ab14 dfblob:2f383ee7 dfblob:e0c96d0d dfblob:1efee0b3 )
 OR (
bs:"[PATCH net] net: 802: enforce underlying device type for GARP and MRP" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250212113218.9859-1-oscmaes92@gmail.com \
    --to=oscmaes92@gmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=jiri@resnulli.us \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=security@kernel.org \
    --cc=syzbot+91161fe81857b396c8a0@syzkaller.appspotmail.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.