From: Ido Schimmel <idosch@idosch.org>
To: Oscar Maes <oscmaes92@gmail.com>
Cc: netdev@vger.kernel.org, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, horms@kernel.org,
viro@zeniv.linux.org.uk, jiri@resnulli.us,
linux-kernel@vger.kernel.org, security@kernel.org,
syzbot <syzbot+91161fe81857b396c8a0@syzkaller.appspotmail.com>
Subject: Re: [PATCH net] net: 802: enforce underlying device type for GARP and MRP
Date: Wed, 12 Feb 2025 16:29:43 +0200 [thread overview]
Message-ID: <Z6ywV4OkFu52AB8P@shredder> (raw)
In-Reply-To: <20250212113218.9859-1-oscmaes92@gmail.com>
On Wed, Feb 12, 2025 at 12:32:18PM +0100, Oscar Maes wrote:
> When creating a VLAN device, we initialize GARP (garp_init_applicant)
> and MRP (mrp_init_applicant) for the underlying device.
>
> As part of the initialization process, we add the multicast address of
> each applicant to the underlying device, by calling dev_mc_add.
>
> __dev_mc_add uses dev->addr_len to determine the length of the new
> multicast address.
>
> This causes an out-of-bounds read if dev->addr_len is greater than 6,
> since the multicast addresses provided by GARP and MRP are only 6 bytes
> long.
>
> This behaviour can be reproduced using the following commands:
>
> ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo
> ip l set up dev gretest
> ip link add link gretest name vlantest type vlan id 100
>
> Then, the following command will display the address of garp_pdu_rcv:
>
> ip maddr show | grep 01:80:c2:00:00:21
>
> Fix this by enforcing the type and address length of
> the underlying device during GARP and MRP initialization.
>
> Fixes: 22bedad3ce11 ("net: convert multicast list to list_head")
> Reported-by: syzbot <syzbot+91161fe81857b396c8a0@syzkaller.appspotmail.com>
> Closes: https://lore.kernel.org/netdev/000000000000ca9a81061a01ec20@google.com/
> Signed-off-by: Oscar Maes <oscmaes92@gmail.com>
> ---
> net/802/garp.c | 5 +++++
> net/802/mrp.c | 5 +++++
> 2 files changed, 10 insertions(+)
>
> diff --git a/net/802/garp.c b/net/802/garp.c
> index 27f0ab146..2f383ee73 100644
> --- a/net/802/garp.c
> +++ b/net/802/garp.c
> @@ -9,6 +9,7 @@
> #include <linux/skbuff.h>
> #include <linux/netdevice.h>
> #include <linux/etherdevice.h>
> +#include <linux/if_arp.h>
> #include <linux/rtnetlink.h>
> #include <linux/llc.h>
> #include <linux/slab.h>
> @@ -574,6 +575,10 @@ int garp_init_applicant(struct net_device *dev, struct garp_application *appl)
>
> ASSERT_RTNL();
>
> + err = -EINVAL;
> + if (dev->type != ARPHRD_ETHER || dev->addr_len != ETH_ALEN)
Checking for 'ARPHRD_ETHER' is not enough? Other virtual devices such as
macsec, macvlan and ipvlan only look at 'dev->type' AFAICT.
Also, how about moving this to vlan_check_real_dev()? It's common to
both the IOCTL and netlink paths.
> + goto err1;
> +
> if (!rtnl_dereference(dev->garp_port)) {
> err = garp_init_port(dev);
> if (err < 0)
> diff --git a/net/802/mrp.c b/net/802/mrp.c
> index e0c96d0da..1efee0b39 100644
> --- a/net/802/mrp.c
> +++ b/net/802/mrp.c
> @@ -12,6 +12,7 @@
> #include <linux/skbuff.h>
> #include <linux/netdevice.h>
> #include <linux/etherdevice.h>
> +#include <linux/if_arp.h>
> #include <linux/rtnetlink.h>
> #include <linux/slab.h>
> #include <linux/module.h>
> @@ -859,6 +860,10 @@ int mrp_init_applicant(struct net_device *dev, struct mrp_application *appl)
>
> ASSERT_RTNL();
>
> + err = -EINVAL;
> + if (dev->type != ARPHRD_ETHER || dev->addr_len != ETH_ALEN)
> + goto err1;
> +
> if (!rtnl_dereference(dev->mrp_port)) {
> err = mrp_init_port(dev);
> if (err < 0)
> --
> 2.39.5
>
>
next prev parent reply other threads:[~2025-02-12 14:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-12 11:32 [PATCH net] net: 802: enforce underlying device type for GARP and MRP Oscar Maes
2025-02-12 12:36 ` Greg KH
2025-02-12 14:29 ` Ido Schimmel [this message]
2025-02-25 14:11 ` Oscar Maes
2025-02-25 19:39 ` Ido Schimmel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z6ywV4OkFu52AB8P@shredder \
--to=idosch@idosch.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oscmaes92@gmail.com \
--cc=pabeni@redhat.com \
--cc=security@kernel.org \
--cc=syzbot+91161fe81857b396c8a0@syzkaller.appspotmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.