* [PATCH v3 0/4] vdpa: Enable strict validation for netlink ops
@ 2023-07-27 17:57 Dragos Tatulea
2023-07-27 17:57 ` [PATCH 1/4] vdpa: Add features attr to vdpa_nl_policy for nlattr length check Dragos Tatulea
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Dragos Tatulea @ 2023-07-27 17:57 UTC (permalink / raw)
To: Michael S . Tsirkin, Lin Ma, Jason Wang, Xuan Zhuo, Parav Pandit
Cc: virtualization, linux-kernel, Dragos Tatulea
The original patch from Lin Ma enables the vdpa driver to use validation
netlink ops. The patch got split into 3 parts for easier backporting.
The last patch simply disables the validation skip which is no longer
neccesary. Patchset started of from this discussion [0].
[0] https://lore.kernel.org/virtualization/20230726074710-mutt-send-email-mst@kernel.org/T/#t
v3:
- Split initial patch for easier backporting.
- Correctly marked patches for stable inclusion.
v2:
- cc'ed stable
Dragos Tatulea (1):
vdpa: Enable strict validation for netlinks ops
Lin Ma (3):
vdpa: Add features attr to vdpa_nl_policy for nlattr length check
vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check
vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check
drivers/vdpa/vdpa.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--
2.41.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/4] vdpa: Add features attr to vdpa_nl_policy for nlattr length check
2023-07-27 17:57 [PATCH v3 0/4] vdpa: Enable strict validation for netlink ops Dragos Tatulea
@ 2023-07-27 17:57 ` Dragos Tatulea
2023-07-27 17:57 ` [PATCH 2/4] vdpa: Add queue index " Dragos Tatulea
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Dragos Tatulea @ 2023-07-27 17:57 UTC (permalink / raw)
To: Michael S . Tsirkin, Lin Ma, Jason Wang, Xuan Zhuo, Parav Pandit
Cc: virtualization, linux-kernel, stable
From: Lin Ma <linma@zju.edu.cn>
The vdpa_nl_policy structure is used to validate the nlattr when parsing
the incoming nlmsg. It will ensure the attribute being described produces
a valid nlattr pointer in info->attrs before entering into each handler
in vdpa_nl_ops.
That is to say, the missing part in vdpa_nl_policy may lead to illegal
nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.
This patch adds the missing nla_policy for vdpa features attr to avoid
such bugs.
Fixes: 90fea5a800c3 ("vdpa: device feature provisioning")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Cc: stable@vger.kernel.org
---
drivers/vdpa/vdpa.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 965e32529eb8..3ad355a2208a 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -1249,6 +1249,7 @@ static const struct nla_policy vdpa_nl_policy[VDPA_ATTR_MAX + 1] = {
[VDPA_ATTR_DEV_NET_CFG_MACADDR] = NLA_POLICY_ETH_ADDR,
/* virtio spec 1.1 section 5.1.4.1 for valid MTU range */
[VDPA_ATTR_DEV_NET_CFG_MTU] = NLA_POLICY_MIN(NLA_U16, 68),
+ [VDPA_ATTR_DEV_FEATURES] = { .type = NLA_U64 },
};
static const struct genl_ops vdpa_nl_ops[] = {
--
2.41.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/4] vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check
2023-07-27 17:57 [PATCH v3 0/4] vdpa: Enable strict validation for netlink ops Dragos Tatulea
2023-07-27 17:57 ` [PATCH 1/4] vdpa: Add features attr to vdpa_nl_policy for nlattr length check Dragos Tatulea
@ 2023-07-27 17:57 ` Dragos Tatulea
2023-07-27 17:57 ` [PATCH 3/4] vdpa: Add max vqp " Dragos Tatulea
2023-07-27 17:57 ` [PATCH 4/4] vdpa: Enable strict validation for netlinks ops Dragos Tatulea
3 siblings, 0 replies; 5+ messages in thread
From: Dragos Tatulea @ 2023-07-27 17:57 UTC (permalink / raw)
To: Michael S . Tsirkin, Lin Ma, Jason Wang, Xuan Zhuo, Parav Pandit
Cc: virtualization, linux-kernel, stable
From: Lin Ma <linma@zju.edu.cn>
The vdpa_nl_policy structure is used to validate the nlattr when parsing
the incoming nlmsg. It will ensure the attribute being described produces
a valid nlattr pointer in info->attrs before entering into each handler
in vdpa_nl_ops.
That is to say, the missing part in vdpa_nl_policy may lead to illegal
nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.
This patch adds the missing nla_policy for vdpa queue index attr to avoid
such bugs.
Fixes: 13b00b135665 ("vdpa: Add support for querying vendor statistics")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Cc: stable@vger.kernelorg
---
drivers/vdpa/vdpa.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 3ad355a2208a..75f1df2b9d2a 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -1249,6 +1249,7 @@ static const struct nla_policy vdpa_nl_policy[VDPA_ATTR_MAX + 1] = {
[VDPA_ATTR_DEV_NET_CFG_MACADDR] = NLA_POLICY_ETH_ADDR,
/* virtio spec 1.1 section 5.1.4.1 for valid MTU range */
[VDPA_ATTR_DEV_NET_CFG_MTU] = NLA_POLICY_MIN(NLA_U16, 68),
+ [VDPA_ATTR_DEV_QUEUE_INDEX] = { .type = NLA_U32 },
[VDPA_ATTR_DEV_FEATURES] = { .type = NLA_U64 },
};
--
2.41.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/4] vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check
2023-07-27 17:57 [PATCH v3 0/4] vdpa: Enable strict validation for netlink ops Dragos Tatulea
2023-07-27 17:57 ` [PATCH 1/4] vdpa: Add features attr to vdpa_nl_policy for nlattr length check Dragos Tatulea
2023-07-27 17:57 ` [PATCH 2/4] vdpa: Add queue index " Dragos Tatulea
@ 2023-07-27 17:57 ` Dragos Tatulea
2023-07-27 17:57 ` [PATCH 4/4] vdpa: Enable strict validation for netlinks ops Dragos Tatulea
3 siblings, 0 replies; 5+ messages in thread
From: Dragos Tatulea @ 2023-07-27 17:57 UTC (permalink / raw)
To: Michael S . Tsirkin, Lin Ma, Jason Wang, Xuan Zhuo, Parav Pandit
Cc: virtualization, linux-kernel, stable
From: Lin Ma <linma@zju.edu.cn>
The vdpa_nl_policy structure is used to validate the nlattr when parsing
the incoming nlmsg. It will ensure the attribute being described produces
a valid nlattr pointer in info->attrs before entering into each handler
in vdpa_nl_ops.
That is to say, the missing part in vdpa_nl_policy may lead to illegal
nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.
This patch adds the missing nla_policy for vdpa max vqp attr to avoid
such bugs.
Fixes: ad69dd0bf26b ("vdpa: Introduce query of device config layout")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Cc: stable@vger.kernel.org
---
drivers/vdpa/vdpa.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 75f1df2b9d2a..f2f654fd84e5 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -1247,6 +1247,7 @@ static const struct nla_policy vdpa_nl_policy[VDPA_ATTR_MAX + 1] = {
[VDPA_ATTR_MGMTDEV_DEV_NAME] = { .type = NLA_STRING },
[VDPA_ATTR_DEV_NAME] = { .type = NLA_STRING },
[VDPA_ATTR_DEV_NET_CFG_MACADDR] = NLA_POLICY_ETH_ADDR,
+ [VDPA_ATTR_DEV_NET_CFG_MAX_VQP] = { .type = NLA_U16 },
/* virtio spec 1.1 section 5.1.4.1 for valid MTU range */
[VDPA_ATTR_DEV_NET_CFG_MTU] = NLA_POLICY_MIN(NLA_U16, 68),
[VDPA_ATTR_DEV_QUEUE_INDEX] = { .type = NLA_U32 },
--
2.41.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 4/4] vdpa: Enable strict validation for netlinks ops
2023-07-27 17:57 [PATCH v3 0/4] vdpa: Enable strict validation for netlink ops Dragos Tatulea
` (2 preceding siblings ...)
2023-07-27 17:57 ` [PATCH 3/4] vdpa: Add max vqp " Dragos Tatulea
@ 2023-07-27 17:57 ` Dragos Tatulea
3 siblings, 0 replies; 5+ messages in thread
From: Dragos Tatulea @ 2023-07-27 17:57 UTC (permalink / raw)
To: Michael S . Tsirkin, Lin Ma, Jason Wang, Xuan Zhuo, Parav Pandit
Cc: virtualization, linux-kernel, Dragos Tatulea, stable
The previous patches added the missing nla policies that were required for
validation to work.
Now strict validation on netlink ops can be enabled. This patch does it.
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Cc: stable@vger.kernel.org
---
drivers/vdpa/vdpa.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index f2f654fd84e5..a7612e0783b3 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -1257,37 +1257,31 @@ static const struct nla_policy vdpa_nl_policy[VDPA_ATTR_MAX + 1] = {
static const struct genl_ops vdpa_nl_ops[] = {
{
.cmd = VDPA_CMD_MGMTDEV_GET,
- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = vdpa_nl_cmd_mgmtdev_get_doit,
.dumpit = vdpa_nl_cmd_mgmtdev_get_dumpit,
},
{
.cmd = VDPA_CMD_DEV_NEW,
- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = vdpa_nl_cmd_dev_add_set_doit,
.flags = GENL_ADMIN_PERM,
},
{
.cmd = VDPA_CMD_DEV_DEL,
- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = vdpa_nl_cmd_dev_del_set_doit,
.flags = GENL_ADMIN_PERM,
},
{
.cmd = VDPA_CMD_DEV_GET,
- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = vdpa_nl_cmd_dev_get_doit,
.dumpit = vdpa_nl_cmd_dev_get_dumpit,
},
{
.cmd = VDPA_CMD_DEV_CONFIG_GET,
- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = vdpa_nl_cmd_dev_config_get_doit,
.dumpit = vdpa_nl_cmd_dev_config_get_dumpit,
},
{
.cmd = VDPA_CMD_DEV_VSTATS_GET,
- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = vdpa_nl_cmd_dev_stats_get_doit,
.flags = GENL_ADMIN_PERM,
},
--
2.41.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-07-27 17:59 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-27 17:57 [PATCH v3 0/4] vdpa: Enable strict validation for netlink ops Dragos Tatulea
2023-07-27 17:57 ` [PATCH 1/4] vdpa: Add features attr to vdpa_nl_policy for nlattr length check Dragos Tatulea
2023-07-27 17:57 ` [PATCH 2/4] vdpa: Add queue index " Dragos Tatulea
2023-07-27 17:57 ` [PATCH 3/4] vdpa: Add max vqp " Dragos Tatulea
2023-07-27 17:57 ` [PATCH 4/4] vdpa: Enable strict validation for netlinks ops Dragos Tatulea
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox