From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E46B2C32771 for ; Fri, 24 Jan 2020 14:28:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BC3122075D for ; Fri, 24 Jan 2020 14:28:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579876085; bh=Wgrk36RiL/X9X6YsqZY6uq+Rj7bZnvc20YgMyvcyyts=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=boKzSqwjiVIG0FD/Cnko3vhDMD8ZLAxc01WpiKjPsCgi3uhRirJZN52y5wGMJzVTD quwUv+2cZk3gxtIxvapnEnFeRttBlEcg8dFc06dEKeWqGLDTTJkykPnsKq4etM609F jmGb/EkH+7FlC/pPhR4IOvC4cV1V09VLy5Gxts5o= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2405254AbgAXOVP (ORCPT ); Fri, 24 Jan 2020 09:21:15 -0500 Received: from mail.kernel.org ([198.145.29.99]:42732 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2405244AbgAXOVN (ORCPT ); Fri, 24 Jan 2020 09:21:13 -0500 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D62D5214DB; Fri, 24 Jan 2020 14:21:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579875672; bh=Wgrk36RiL/X9X6YsqZY6uq+Rj7bZnvc20YgMyvcyyts=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hJJWRg3lfTh/nEptOT953LRZLJX/40LeG7AXZdSQLnAGlbroUoLFNfhhW7n4UKzBn 8kxyn2lz8e8Gg+oTz4bxSgf44Ls26LxU8yoputU3Ql2Guy09KdovVyqO2INztWe/lF Y5PVfiTtZ6fNmfEqkbHYAq3MK7sQzFMUWYHW9AvE= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Florian Westphal , syzbot+0e63ae76d117ae1c3a01@syzkaller.appspotmail.com, Pablo Neira Ayuso , Sasha Levin , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 4.19 51/56] netfilter: nf_tables: remove WARN and add NLA_STRING upper limits Date: Fri, 24 Jan 2020 09:20:07 -0500 Message-Id: <20200124142012.29752-51-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200124142012.29752-1-sashal@kernel.org> References: <20200124142012.29752-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Florian Westphal [ Upstream commit 9332d27d7918182add34e8043f6a754530fdd022 ] This WARN can trigger because some of the names fed to the module autoload function can be of arbitrary length. Remove the WARN and add limits for all NLA_STRING attributes. Reported-by: syzbot+0e63ae76d117ae1c3a01@syzkaller.appspotmail.com Fixes: 452238e8d5ffd8 ("netfilter: nf_tables: add and use helper for module autoload") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nf_tables_api.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index f7d1f66b29483..79b88467606db 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -24,6 +24,8 @@ #include #include +#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) + static LIST_HEAD(nf_tables_expressions); static LIST_HEAD(nf_tables_objects); static LIST_HEAD(nf_tables_flowtables); @@ -502,7 +504,7 @@ static void nft_request_module(struct net *net, const char *fmt, ...) va_start(args, fmt); ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); va_end(args); - if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret)) + if (ret >= MODULE_NAME_LEN) return; mutex_unlock(&net->nft.commit_mutex); @@ -1130,7 +1132,8 @@ static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { .len = NFT_CHAIN_MAXNAMELEN - 1 }, [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, - [NFTA_CHAIN_TYPE] = { .type = NLA_STRING }, + [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, + .len = NFT_MODULE_AUTOLOAD_LIMIT }, [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, }; @@ -2013,7 +2016,8 @@ static const struct nft_expr_type *nft_expr_type_get(struct net *net, } static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { - [NFTA_EXPR_NAME] = { .type = NLA_STRING }, + [NFTA_EXPR_NAME] = { .type = NLA_STRING, + .len = NFT_MODULE_AUTOLOAD_LIMIT }, [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, }; @@ -3797,7 +3801,8 @@ static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, .len = NFT_USERDATA_MAXLEN }, [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, - [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING }, + [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, + .len = NFT_OBJ_MAXNAMELEN - 1 }, }; static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { -- 2.20.1