[PATCH net-next 0/2] nexthop: Fix two nexthop group statistics issues

[PATCH net-next 0/2] nexthop: Fix two nexthop group statistics issues

[Ido Schimmel]

Fix two issues that were introduced as part of the recent nexthop group
statistics submission. See the commit messages for more details.

Ido Schimmel (2):
  nexthop: Fix out-of-bounds access during attribute validation
  nexthop: Fix splat with CONFIG_DEBUG_PREEMPT=y

 net/ipv4/nexthop.c                          | 22 +++++++++++++--------
 tools/testing/selftests/net/fib_nexthops.sh |  6 ++++++
 2 files changed, 20 insertions(+), 8 deletions(-)

-- 
2.43.0

[PATCH net-next 1/2] nexthop: Fix out-of-bounds access during attribute validation

[Ido Schimmel]

Passing a maximum attribute type to nlmsg_parse() that is larger than
the size of the passed policy will result in an out-of-bounds access [1]
when the attribute type is used as an index into the policy array.

Fix by setting the maximum attribute type according to the policy size,
as is already done for RTM_NEWNEXTHOP messages. Add a test case that
triggers the bug.

No regressions in fib nexthops tests:

 # ./fib_nexthops.sh
 [...]
 Tests passed: 236
 Tests failed:   0

[1]
BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x1e53/0x2940
Read of size 1 at addr ffffffff99ab4d20 by task ip/610

CPU: 3 PID: 610 Comm: ip Not tainted 6.8.0-rc7-custom-gd435d6e3e161 #9
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x8f/0xe0
 print_report+0xcf/0x670
 kasan_report+0xd8/0x110
 __nla_validate_parse+0x1e53/0x2940
 __nla_parse+0x40/0x50
 rtm_del_nexthop+0x1bd/0x400
 rtnetlink_rcv_msg+0x3cc/0xf20
 netlink_rcv_skb+0x170/0x440
 netlink_unicast+0x540/0x820
 netlink_sendmsg+0x8d3/0xdb0
 ____sys_sendmsg+0x31f/0xa60
 ___sys_sendmsg+0x13a/0x1e0
 __sys_sendmsg+0x11c/0x1f0
 do_syscall_64+0xc5/0x1d0
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
[...]

The buggy address belongs to the variable:
 rtm_nh_policy_del+0x20/0x40

Fixes: 2118f9390d83 ("net: nexthop: Adjust netlink policy parsing for a new attribute")
Reported-by: Eric Dumazet <edumazet@google.com>
Closes: https://lore.kernel.org/netdev/CANn89i+UNcG0PJMW5X7gOMunF38ryMh=L1aeZUKH3kL4UdUqag@mail.gmail.com/
Reported-by: syzbot+65bb09a7208ce3d4a633@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/00000000000088981b06133bc07b@google.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 net/ipv4/nexthop.c                          | 19 ++++++++++++-------
 tools/testing/selftests/net/fib_nexthops.sh |  6 ++++++
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index 5eb3ba568f4e..f3df80d2b980 100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -3253,8 +3253,9 @@ static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
 	int err;
 	u32 id;
 
-	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb, NHA_MAX,
-			  rtm_nh_policy_del, extack);
+	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb,
+			  ARRAY_SIZE(rtm_nh_policy_del) - 1, rtm_nh_policy_del,
+			  extack);
 	if (err < 0)
 		return err;
 
@@ -3283,8 +3284,9 @@ static int rtm_get_nexthop(struct sk_buff *in_skb, struct nlmsghdr *nlh,
 	int err;
 	u32 id;
 
-	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb, NHA_MAX,
-			  rtm_nh_policy_get, extack);
+	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb,
+			  ARRAY_SIZE(rtm_nh_policy_get) - 1, rtm_nh_policy_get,
+			  extack);
 	if (err < 0)
 		return err;
 
@@ -3411,7 +3413,8 @@ static int nh_valid_dump_req(const struct nlmsghdr *nlh,
 	struct nlattr *tb[NHA_MAX + 1];
 	int err;
 
-	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb, NHA_MAX,
+	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb,
+			  ARRAY_SIZE(rtm_nh_policy_dump) - 1,
 			  rtm_nh_policy_dump, cb->extack);
 	if (err < 0)
 		return err;
@@ -3549,7 +3552,8 @@ static int nh_valid_dump_bucket_req(const struct nlmsghdr *nlh,
 	struct nlattr *tb[NHA_MAX + 1];
 	int err;
 
-	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb, NHA_MAX,
+	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb,
+			  ARRAY_SIZE(rtm_nh_policy_dump_bucket) - 1,
 			  rtm_nh_policy_dump_bucket, NULL);
 	if (err < 0)
 		return err;
@@ -3718,7 +3722,8 @@ static int nh_valid_get_bucket_req(const struct nlmsghdr *nlh,
 	u32 op_flags;
 	int err;
 
-	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb, NHA_MAX,
+	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb,
+			  ARRAY_SIZE(rtm_nh_policy_get_bucket) - 1,
 			  rtm_nh_policy_get_bucket, extack);
 	if (err < 0)
 		return err;
diff --git a/tools/testing/selftests/net/fib_nexthops.sh b/tools/testing/selftests/net/fib_nexthops.sh
index d5a281aadbac..ac0b2c6a5761 100755
--- a/tools/testing/selftests/net/fib_nexthops.sh
+++ b/tools/testing/selftests/net/fib_nexthops.sh
@@ -2066,6 +2066,12 @@ basic()
 	run_cmd "$IP nexthop get id 1"
 	log_test $? 2 "Nexthop get on non-existent id"
 
+	run_cmd "$IP nexthop del id 1"
+	log_test $? 2 "Nexthop del with non-existent id"
+
+	run_cmd "$IP nexthop del id 1 group 1/2/3/4/5/6/7/8"
+	log_test $? 2 "Nexthop del with non-existent id and extra attributes"
+
 	# attempt to create nh without a device or gw - fails
 	run_cmd "$IP nexthop add id 1"
 	log_test $? 2 "Nexthop with no device or gateway"
-- 
2.43.0

[PATCH net-next 2/2] nexthop: Fix splat with CONFIG_DEBUG_PREEMPT=y

[Ido Schimmel]

Locally generated packets can increment the new nexthop statistics from
process context, resulting in the following splat [1] due to preemption
being enabled. Fix by using get_cpu_ptr() / put_cpu_ptr() which will
which take care of disabling / enabling preemption.

BUG: using smp_processor_id() in preemptible [00000000] code: ping/949
caller is nexthop_select_path+0xcf8/0x1e30
CPU: 12 PID: 949 Comm: ping Not tainted 6.8.0-rc7-custom-gcb450f605fae #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xbd/0xe0
 check_preemption_disabled+0xce/0xe0
 nexthop_select_path+0xcf8/0x1e30
 fib_select_multipath+0x865/0x18b0
 fib_select_path+0x311/0x1160
 ip_route_output_key_hash_rcu+0xe54/0x2720
 ip_route_output_key_hash+0x193/0x380
 ip_route_output_flow+0x25/0x130
 raw_sendmsg+0xbab/0x34a0
 inet_sendmsg+0xa2/0xe0
 __sys_sendto+0x2ad/0x430
 __x64_sys_sendto+0xe5/0x1c0
 do_syscall_64+0xc5/0x1d0
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
[...]

Fixes: f4676ea74b85 ("net: nexthop: Add nexthop group entry stats")
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 net/ipv4/nexthop.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index f3df80d2b980..fe5531f1b39f 100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -673,10 +673,11 @@ static void nh_grp_entry_stats_inc(struct nh_grp_entry *nhge)
 {
 	struct nh_grp_entry_stats *cpu_stats;
 
-	cpu_stats = this_cpu_ptr(nhge->stats);
+	cpu_stats = get_cpu_ptr(nhge->stats);
 	u64_stats_update_begin(&cpu_stats->syncp);
 	u64_stats_inc(&cpu_stats->packets);
 	u64_stats_update_end(&cpu_stats->syncp);
+	put_cpu_ptr(cpu_stats);
 }
 
 static void nh_grp_entry_stats_read(struct nh_grp_entry *nhge,
-- 
2.43.0

Re: [PATCH net-next 1/2] nexthop: Fix out-of-bounds access during attribute validation

[David Ahern]

On 3/10/24 11:32 AM, Ido Schimmel wrote:
> diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
> index 5eb3ba568f4e..f3df80d2b980 100644
> --- a/net/ipv4/nexthop.c
> +++ b/net/ipv4/nexthop.c
> @@ -3253,8 +3253,9 @@ static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
>  	int err;
>  	u32 id;
>  
> -	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb, NHA_MAX,
> -			  rtm_nh_policy_del, extack);
> +	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb,
> +			  ARRAY_SIZE(rtm_nh_policy_del) - 1, rtm_nh_policy_del,

'tb' on the stack only needs to be ARRAY_SIZE as well; that's the
benefit of the approach - only declare what you need.

Comment applies to the other locations as well.

Re: [PATCH net-next 1/2] nexthop: Fix out-of-bounds access during attribute validation

[Ido Schimmel]

On Sun, Mar 10, 2024 at 11:54:59AM -0600, David Ahern wrote:
> On 3/10/24 11:32 AM, Ido Schimmel wrote:
> > diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
> > index 5eb3ba568f4e..f3df80d2b980 100644
> > --- a/net/ipv4/nexthop.c
> > +++ b/net/ipv4/nexthop.c
> > @@ -3253,8 +3253,9 @@ static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
> >  	int err;
> >  	u32 id;
> >  
> > -	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb, NHA_MAX,
> > -			  rtm_nh_policy_del, extack);
> > +	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb,
> > +			  ARRAY_SIZE(rtm_nh_policy_del) - 1, rtm_nh_policy_del,
> 
> 'tb' on the stack only needs to be ARRAY_SIZE as well; that's the
> benefit of the approach - only declare what you need.

The reasoning for that is explained in Petr's commit message:

"
    - To allow querying for presence of the attribute, have all the attribute
      arrays sized to NHA_MAX, regardless of what is permitted by policy, and
      pass the corresponding value to nlmsg_parse() as well.
"

IOW, with resizing 'tb' to ARRAY_SIZE:

rtm_del_nexthop
    nh_valid_get_del_req
        if (tb[NHA_OP_FLAGS]) -> BOOM

However, I can add [1] and [2] as patches #1 and #2 and then squash [3]
into the current patch.

[1]
commit bf5184cc9a3596d3185c91f2f7986e7c6f2dba9c
Author: Ido Schimmel <idosch@nvidia.com>
Date:   Sun Mar 10 21:56:21 2024 +0200

    nexthop: Only parse NHA_OP_FLAGS for get messages that require it
    
    The attribute is parsed into 'op_flags' in nh_valid_get_del_req() which
    is called from the handlers of three message types: RTM_DELNEXTHOP,
    RTM_GETNEXTHOPBUCKET and RTM_GETNEXTHOP. The attribute is only used by
    the latter and rejected by the policies of the other two.
    
    Pass 'op_flags' as NULL from the handlers of the other two and only
    parse the attribute when the argument is not NULL.
    
    This is a preparation for a subsequent patch.
    
    Signed-off-by: Ido Schimmel <idosch@nvidia.com>

diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index 5eb3ba568f4e..03bacf9c0502 100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -3229,10 +3229,12 @@ static int nh_valid_get_del_req(const struct nlmsghdr *nlh,
                return -EINVAL;
        }
 
-       if (tb[NHA_OP_FLAGS])
-               *op_flags = nla_get_u32(tb[NHA_OP_FLAGS]);
-       else
-               *op_flags = 0;
+       if (op_flags) {
+               if (tb[NHA_OP_FLAGS])
+                       *op_flags = nla_get_u32(tb[NHA_OP_FLAGS]);
+               else
+                       *op_flags = 0;
+       }
 
        return 0;
 }
@@ -3249,7 +3251,6 @@ static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
                .portid = NETLINK_CB(skb).portid,
        };
        struct nexthop *nh;
-       u32 op_flags;
        int err;
        u32 id;
 
@@ -3258,7 +3259,7 @@ static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
        if (err < 0)
                return err;
 
-       err = nh_valid_get_del_req(nlh, tb, &id, &op_flags, extack);
+       err = nh_valid_get_del_req(nlh, tb, &id, NULL, extack);
        if (err)
                return err;
 
@@ -3715,7 +3716,6 @@ static int nh_valid_get_bucket_req(const struct nlmsghdr *nlh,
                                   struct netlink_ext_ack *extack)
 {
        struct nlattr *tb[NHA_MAX + 1];
-       u32 op_flags;
        int err;
 
        err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb, NHA_MAX,
@@ -3723,7 +3723,7 @@ static int nh_valid_get_bucket_req(const struct nlmsghdr *nlh,
        if (err < 0)
                return err;
 
-       err = nh_valid_get_del_req(nlh, tb, id, &op_flags, extack);
+       err = nh_valid_get_del_req(nlh, tb, id, NULL, extack);
        if (err)
                return err;

[2]
commit 585183403a6b692d71746527938b037f50feed65
Author: Ido Schimmel <idosch@nvidia.com>
Date:   Sun Mar 10 22:54:53 2024 +0200

    nexthop: Only parse NHA_OP_FLAGS for dump messages that require it
    
    The attribute is parsed in __nh_valid_dump_req() which is called by the
    dump handlers of RTM_GETNEXTHOP and RTM_GETNEXTHOPBUCKET although it is
    only used by the former and rejected by the policy of the latter.
    
    Move the parsing to nh_valid_dump_req() which is only called by the dump
    handler of RTM_GETNEXTHOP.
    
    This is a preparation for a subsequent patch.
    
    Signed-off-by: Ido Schimmel <idosch@nvidia.com>

diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index 03bacf9c0502..573da3660cb3 100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -3397,11 +3397,6 @@ static int __nh_valid_dump_req(const struct nlmsghdr *nlh, struct nlattr **tb,
                return -EINVAL;
        }
 
-       if (tb[NHA_OP_FLAGS])
-               filter->op_flags = nla_get_u32(tb[NHA_OP_FLAGS]);
-       else
-               filter->op_flags = 0;
-
        return 0;
 }
 
@@ -3417,6 +3412,11 @@ static int nh_valid_dump_req(const struct nlmsghdr *nlh,
        if (err < 0)
                return err;
 
+       if (tb[NHA_OP_FLAGS])
+               filter->op_flags = nla_get_u32(tb[NHA_OP_FLAGS]);
+       else
+               filter->op_flags = 0;
+
        return __nh_valid_dump_req(nlh, tb, filter, cb->extack);
 }

[3]
diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index f6c9d834b989..0011b0076c5b 100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -3243,8 +3243,8 @@ static int nh_valid_get_del_req(const struct nlmsghdr *nlh,
 static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
                           struct netlink_ext_ack *extack)
 {
+       struct nlattr *tb[ARRAY_SIZE(rtm_nh_policy_del)];
        struct net *net = sock_net(skb->sk);
-       struct nlattr *tb[NHA_MAX + 1];
        struct nl_info nlinfo = {
                .nlh = nlh,
                .nl_net = net,
@@ -3277,8 +3277,8 @@ static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
 static int rtm_get_nexthop(struct sk_buff *in_skb, struct nlmsghdr *nlh,
                           struct netlink_ext_ack *extack)
 {
+       struct nlattr *tb[ARRAY_SIZE(rtm_nh_policy_get)];
        struct net *net = sock_net(in_skb->sk);
-       struct nlattr *tb[NHA_MAX + 1];
        struct sk_buff *skb = NULL;
        struct nexthop *nh;
        u32 op_flags;
@@ -3406,7 +3406,7 @@ static int nh_valid_dump_req(const struct nlmsghdr *nlh,
                             struct nh_dump_filter *filter,
                             struct netlink_callback *cb)
 {
-       struct nlattr *tb[NHA_MAX + 1];
+       struct nlattr *tb[ARRAY_SIZE(rtm_nh_policy_dump)];
        int err;
 
        err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb,
@@ -3550,7 +3550,7 @@ static int nh_valid_dump_bucket_req(const struct nlmsghdr *nlh,
                                    struct netlink_callback *cb)
 {
        struct nlattr *res_tb[ARRAY_SIZE(rtm_nh_res_bucket_policy_dump)];
-       struct nlattr *tb[NHA_MAX + 1];
+       struct nlattr *tb[ARRAY_SIZE(rtm_nh_policy_dump_bucket)];
        int err;
 
        err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb,
@@ -3719,7 +3719,7 @@ static int nh_valid_get_bucket_req(const struct nlmsghdr *nlh,
                                   u32 *id, u16 *bucket_index,
                                   struct netlink_ext_ack *extack)
 {
-       struct nlattr *tb[NHA_MAX + 1];
+       struct nlattr *tb[ARRAY_SIZE(rtm_nh_policy_get_bucket)];
        int err;
 
        err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb,

Re: [PATCH net-next 1/2] nexthop: Fix out-of-bounds access during attribute validation

[David Ahern]

On 3/10/24 3:41 PM, Ido Schimmel wrote:
> However, I can add [1] and [2] as patches #1 and #2 and then squash [3]
> into the current patch.

yes, please. Thank you for the fixups.

Re: [PATCH net-next 1/2] nexthop: Fix out-of-bounds access during attribute validation

[Petr Machata]

Ido Schimmel <idosch@nvidia.com> writes:

> On Sun, Mar 10, 2024 at 11:54:59AM -0600, David Ahern wrote:
>> On 3/10/24 11:32 AM, Ido Schimmel wrote:
>> > diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
>> > index 5eb3ba568f4e..f3df80d2b980 100644
>> > --- a/net/ipv4/nexthop.c
>> > +++ b/net/ipv4/nexthop.c
>> > @@ -3253,8 +3253,9 @@ static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
>> >  	int err;
>> >  	u32 id;
>> >  
>> > -	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb, NHA_MAX,
>> > -			  rtm_nh_policy_del, extack);
>> > +	err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb,
>> > +			  ARRAY_SIZE(rtm_nh_policy_del) - 1, rtm_nh_policy_del,
>> 
>> 'tb' on the stack only needs to be ARRAY_SIZE as well; that's the
>> benefit of the approach - only declare what you need.
>
> The reasoning for that is explained in Petr's commit message:
>
> "
>     - To allow querying for presence of the attribute, have all the attribute
>       arrays sized to NHA_MAX, regardless of what is permitted by policy, and
>       pass the corresponding value to nlmsg_parse() as well.
> "
>
> IOW, with resizing 'tb' to ARRAY_SIZE:
>
> rtm_del_nexthop
>     nh_valid_get_del_req
>         if (tb[NHA_OP_FLAGS]) -> BOOM

Yep. I passed NHA_MAX to nlmsg_parse to get the tb array properly
initialized, but missed the obvious fact that it will then expect the
policy arrays to be this long as well. Oops.

One way would be to just initialize the arrays:

modified   net/ipv4/nexthop.c
@@ -3243,7 +3243,7 @@ static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
 			   struct netlink_ext_ack *extack)
 {
 	struct net *net = sock_net(skb->sk);
-	struct nlattr *tb[NHA_MAX + 1];
+	struct nlattr *tb[NHA_MAX + 1] = {};
 	struct nl_info nlinfo = {
 		.nlh = nlh,
 		.nl_net = net,

But what you propose below looks OK to me as well, and conserves the
stack space. (Until the policies grow again anyway.)

> However, I can add [1] and [2] as patches #1 and #2 and then squash [3]
> into the current patch.
>
> [1]
> commit bf5184cc9a3596d3185c91f2f7986e7c6f2dba9c
> Author: Ido Schimmel <idosch@nvidia.com>
> Date:   Sun Mar 10 21:56:21 2024 +0200
>
>     nexthop: Only parse NHA_OP_FLAGS for get messages that require it
>     
>     The attribute is parsed into 'op_flags' in nh_valid_get_del_req() which
>     is called from the handlers of three message types: RTM_DELNEXTHOP,
>     RTM_GETNEXTHOPBUCKET and RTM_GETNEXTHOP. The attribute is only used by
>     the latter and rejected by the policies of the other two.
>     
>     Pass 'op_flags' as NULL from the handlers of the other two and only
>     parse the attribute when the argument is not NULL.
>     
>     This is a preparation for a subsequent patch.
>     
>     Signed-off-by: Ido Schimmel <idosch@nvidia.com>
>
> diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
> index 5eb3ba568f4e..03bacf9c0502 100644
> --- a/net/ipv4/nexthop.c
> +++ b/net/ipv4/nexthop.c
> @@ -3229,10 +3229,12 @@ static int nh_valid_get_del_req(const struct nlmsghdr *nlh,
>                 return -EINVAL;
>         }
>  
> -       if (tb[NHA_OP_FLAGS])
> -               *op_flags = nla_get_u32(tb[NHA_OP_FLAGS]);
> -       else
> -               *op_flags = 0;
> +       if (op_flags) {
> +               if (tb[NHA_OP_FLAGS])
> +                       *op_flags = nla_get_u32(tb[NHA_OP_FLAGS]);
> +               else
> +                       *op_flags = 0;
> +       }
>  
>         return 0;
>  }
> @@ -3249,7 +3251,6 @@ static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
>                 .portid = NETLINK_CB(skb).portid,
>         };
>         struct nexthop *nh;
> -       u32 op_flags;
>         int err;
>         u32 id;
>  
> @@ -3258,7 +3259,7 @@ static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
>         if (err < 0)
>                 return err;
>  
> -       err = nh_valid_get_del_req(nlh, tb, &id, &op_flags, extack);
> +       err = nh_valid_get_del_req(nlh, tb, &id, NULL, extack);
>         if (err)
>                 return err;
>  
> @@ -3715,7 +3716,6 @@ static int nh_valid_get_bucket_req(const struct nlmsghdr *nlh,
>                                    struct netlink_ext_ack *extack)
>  {
>         struct nlattr *tb[NHA_MAX + 1];
> -       u32 op_flags;
>         int err;
>  
>         err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb, NHA_MAX,
> @@ -3723,7 +3723,7 @@ static int nh_valid_get_bucket_req(const struct nlmsghdr *nlh,
>         if (err < 0)
>                 return err;
>  
> -       err = nh_valid_get_del_req(nlh, tb, id, &op_flags, extack);
> +       err = nh_valid_get_del_req(nlh, tb, id, NULL, extack);
>         if (err)
>                 return err;
>
> [2]
> commit 585183403a6b692d71746527938b037f50feed65
> Author: Ido Schimmel <idosch@nvidia.com>
> Date:   Sun Mar 10 22:54:53 2024 +0200
>
>     nexthop: Only parse NHA_OP_FLAGS for dump messages that require it
>     
>     The attribute is parsed in __nh_valid_dump_req() which is called by the
>     dump handlers of RTM_GETNEXTHOP and RTM_GETNEXTHOPBUCKET although it is
>     only used by the former and rejected by the policy of the latter.
>     
>     Move the parsing to nh_valid_dump_req() which is only called by the dump
>     handler of RTM_GETNEXTHOP.
>     
>     This is a preparation for a subsequent patch.
>     
>     Signed-off-by: Ido Schimmel <idosch@nvidia.com>
>
> diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
> index 03bacf9c0502..573da3660cb3 100644
> --- a/net/ipv4/nexthop.c
> +++ b/net/ipv4/nexthop.c
> @@ -3397,11 +3397,6 @@ static int __nh_valid_dump_req(const struct nlmsghdr *nlh, struct nlattr **tb,
>                 return -EINVAL;
>         }
>  
> -       if (tb[NHA_OP_FLAGS])
> -               filter->op_flags = nla_get_u32(tb[NHA_OP_FLAGS]);
> -       else
> -               filter->op_flags = 0;
> -
>         return 0;
>  }
>  
> @@ -3417,6 +3412,11 @@ static int nh_valid_dump_req(const struct nlmsghdr *nlh,
>         if (err < 0)
>                 return err;
>  
> +       if (tb[NHA_OP_FLAGS])
> +               filter->op_flags = nla_get_u32(tb[NHA_OP_FLAGS]);
> +       else
> +               filter->op_flags = 0;
> +
>         return __nh_valid_dump_req(nlh, tb, filter, cb->extack);
>  }
>
> [3]
> diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
> index f6c9d834b989..0011b0076c5b 100644
> --- a/net/ipv4/nexthop.c
> +++ b/net/ipv4/nexthop.c
> @@ -3243,8 +3243,8 @@ static int nh_valid_get_del_req(const struct nlmsghdr *nlh,
>  static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
>                            struct netlink_ext_ack *extack)
>  {
> +       struct nlattr *tb[ARRAY_SIZE(rtm_nh_policy_del)];
>         struct net *net = sock_net(skb->sk);
> -       struct nlattr *tb[NHA_MAX + 1];
>         struct nl_info nlinfo = {
>                 .nlh = nlh,
>                 .nl_net = net,
> @@ -3277,8 +3277,8 @@ static int rtm_del_nexthop(struct sk_buff *skb, struct nlmsghdr *nlh,
>  static int rtm_get_nexthop(struct sk_buff *in_skb, struct nlmsghdr *nlh,
>                            struct netlink_ext_ack *extack)
>  {
> +       struct nlattr *tb[ARRAY_SIZE(rtm_nh_policy_get)];
>         struct net *net = sock_net(in_skb->sk);
> -       struct nlattr *tb[NHA_MAX + 1];
>         struct sk_buff *skb = NULL;
>         struct nexthop *nh;
>         u32 op_flags;
> @@ -3406,7 +3406,7 @@ static int nh_valid_dump_req(const struct nlmsghdr *nlh,
>                              struct nh_dump_filter *filter,
>                              struct netlink_callback *cb)
>  {
> -       struct nlattr *tb[NHA_MAX + 1];
> +       struct nlattr *tb[ARRAY_SIZE(rtm_nh_policy_dump)];
>         int err;
>  
>         err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb,
> @@ -3550,7 +3550,7 @@ static int nh_valid_dump_bucket_req(const struct nlmsghdr *nlh,
>                                     struct netlink_callback *cb)
>  {
>         struct nlattr *res_tb[ARRAY_SIZE(rtm_nh_res_bucket_policy_dump)];
> -       struct nlattr *tb[NHA_MAX + 1];
> +       struct nlattr *tb[ARRAY_SIZE(rtm_nh_policy_dump_bucket)];
>         int err;
>  
>         err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb,
> @@ -3719,7 +3719,7 @@ static int nh_valid_get_bucket_req(const struct nlmsghdr *nlh,
>                                    u32 *id, u16 *bucket_index,
>                                    struct netlink_ext_ack *extack)
>  {
> -       struct nlattr *tb[NHA_MAX + 1];
> +       struct nlattr *tb[ARRAY_SIZE(rtm_nh_policy_get_bucket)];
>         int err;
>  
>         err = nlmsg_parse(nlh, sizeof(struct nhmsg), tb,

Re: [PATCH net-next 1/2] nexthop: Fix out-of-bounds access during attribute validation

[Jakub Kicinski]

On Sun, 10 Mar 2024 23:41:53 +0200 Ido Schimmel wrote:
> > 'tb' on the stack only needs to be ARRAY_SIZE as well; that's the
> > benefit of the approach - only declare what you need.  
> 
> The reasoning for that is explained in Petr's commit message:
> 
> "
>     - To allow querying for presence of the attribute, have all the attribute
>       arrays sized to NHA_MAX, regardless of what is permitted by policy, and
>       pass the corresponding value to nlmsg_parse() as well.
> "
> 
> IOW, with resizing 'tb' to ARRAY_SIZE:
> 
> rtm_del_nexthop
>     nh_valid_get_del_req
>         if (tb[NHA_OP_FLAGS]) -> BOOM

v2 coming, right? Please repost as soon as possible. v1 crashes AFAICT
because tb is not 0-initialized so tb[NHA_OP_FLAGS] reads garbage.

Re: [PATCH net-next 1/2] nexthop: Fix out-of-bounds access during attribute validation

[Petr Machata]

Jakub Kicinski <kuba@kernel.org> writes:

> On Sun, 10 Mar 2024 23:41:53 +0200 Ido Schimmel wrote:
>> > 'tb' on the stack only needs to be ARRAY_SIZE as well; that's the
>> > benefit of the approach - only declare what you need.  
>> 
>> The reasoning for that is explained in Petr's commit message:
>> 
>> "
>>     - To allow querying for presence of the attribute, have all the attribute
>>       arrays sized to NHA_MAX, regardless of what is permitted by policy, and
>>       pass the corresponding value to nlmsg_parse() as well.
>> "
>> 
>> IOW, with resizing 'tb' to ARRAY_SIZE:
>> 
>> rtm_del_nexthop
>>     nh_valid_get_del_req
>>         if (tb[NHA_OP_FLAGS]) -> BOOM
>
> v2 coming, right? Please repost as soon as possible. v1 crashes AFAICT
> because tb is not 0-initialized so tb[NHA_OP_FLAGS] reads garbage.

Ido will send v2 later today.