[PATCH net 0/4] tipc: fix missing netlink admin gate and receive-path bugs

[Michael Bommarito <michael.bommarito@gmail.com>]

This series fixes four independent issues in the TIPC subsystem. They all
require a node that has TIPC configured (the tipc module loaded). Patch 1
is then reachable by a local process with no capabilities; patches 2 to 4
are reachable by a remote TIPC peer once a bearer is enabled. They were
found by an audit of the TIPC netlink, neighbor-discovery, connection and
name-distribution paths with AI assistance; following the kernel's
handling of AI-assisted bug reports they are disclosed in public.

The central issue is patch 1. The TIPCv2 generic-netlink API registers
its state-changing operations without an admin-permission flag. Generic
netlink only checks CAP_NET_ADMIN when an operation sets GENL_ADMIN_PERM
or GENL_UNS_ADMIN_PERM. The legacy TIPC config netlink path gates the
same administrative commands behind netlink_net_capable(CAP_NET_ADMIN);
the v2 path does not. So on a node where the tipc module is loaded, a
local process with zero effective capabilities can set the network id and
node identity, install and flush AEAD key material, and enable, disable
and reconfigure bearers, links and media. This restores the authorization
gate the legacy API has always had.

The other three patches fix input-validation and arithmetic bugs in the
receive paths. They are reachable independently of patch 1 (from a peer
node over a bearer, or over an established TIPC connection):

  1/4 adds GENL_UNS_ADMIN_PERM to the mutating v2 ops, matching the
      legacy API's netlink_net_capable(CAP_NET_ADMIN) gate. A QEMU/KASAN
      repro run as uid/gid 65534 with zero effective capabilities could
      change the network id and node identity, set and flush key
      material, and enable and disable a UDP bearer; with the patch those
      calls return -EPERM.

  2/4 bounds the media-address and node-id reads in tipc_disc_rcv()
      against the received length. A short LINK_CONFIG message otherwise
      makes the handler read past the received data.

  3/4 caps the peer-supplied connection ack so it cannot underflow the
      unsigned 16-bit send counter and leave a connection permanently
      flow-control blocked.

  4/4 rejects a peer PUBLICATION whose lower bound exceeds its upper
      bound. Such a binding can never be matched or withdrawn and leaks
      the publication; the local bind path already rejects it.

For the record, two related TIPC issues are deliberately not in this
series because other contributors already have fixes posted to netdev:
the broadcast Gap-ACK out-of-bounds read in tipc_get_gap_ack_blks()
("tipc: validate Gap ACK blocks in STATE message") and the
neighbor-monitor use-after-free on bearer teardown ("tipc: fix UAF race
in tipc_mon_peer_up/down/remove_peer vs bearer teardown"). This series
does not touch those paths. Note that patch 1 also gates bearer
enable/disable, the operation that exposes TIPC's packet-receive paths to
the network, so it is useful as defence in depth and not only as an
authorization fix.

Each patch was build-tested with no new warnings against v7.1-rc5. The
four patches touch different files and are independent.

Michael Bommarito (4):
  tipc: require net admin for TIPCv2 netlink mutators
  tipc: validate discovery message length before reading media address
  tipc: prevent snt_unacked underflow on CONN_ACK
  tipc: reject inverted service ranges from peer bindings

 net/tipc/discover.c   | 14 ++++++++++++++
 net/tipc/name_distr.c | 11 ++++++++++-
 net/tipc/netlink.c    | 12 ++++++++++++
 net/tipc/socket.c     |  9 ++++++++-
 4 files changed, 44 insertions(+), 2 deletions(-)


base-commit: e7ae89a0c97ce2b68b0983cd01eda67cf373517d
-- 
2.53.0