From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Wei Chen <harperchen1110@gmail.com>,
Ido Schimmel <idosch@nvidia.com>,
Alexander Duyck <alexanderduyck@fb.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 47/64] net/sched: act_mpls: Fix warning during failed attribute validation
Date: Mon, 16 Jan 2023 16:51:54 +0100 [thread overview]
Message-ID: <20230116154745.219284799@linuxfoundation.org> (raw)
In-Reply-To: <20230116154743.577276578@linuxfoundation.org>
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 9e17f99220d111ea031b44153fdfe364b0024ff2 ]
The 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a
validation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid
combination according to the comment above 'struct nla_policy':
"
Meaning of `validate' field, use via NLA_POLICY_VALIDATE_FN:
NLA_BINARY Validation function called for the attribute.
All other Unused - but note that it's a union
"
This can trigger the warning [1] in nla_get_range_unsigned() when
validation of the attribute fails. Despite being of 'NLA_U32' type, the
associated 'min'/'max' fields in the policy are negative as they are
aliased by the 'validate' field.
Fix by changing the attribute type to 'NLA_BINARY' which is consistent
with the above comment and all other users of NLA_POLICY_VALIDATE_FN().
As a result, move the length validation to the validation function.
No regressions in MPLS tests:
# ./tdc.py -f tc-tests/actions/mpls.json
[...]
# echo $?
0
[1]
WARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118
nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117
Modules linked in:
CPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117
[...]
Call Trace:
<TASK>
__netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310
netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411
netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]
netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506
netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546
rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
____sys_sendmsg+0x38f/0x500 net/socket.c:2482
___sys_sendmsg net/socket.c:2536 [inline]
__sys_sendmsg+0x197/0x230 net/socket.c:2565
__do_sys_sendmsg net/socket.c:2574 [inline]
__se_sys_sendmsg net/socket.c:2572 [inline]
__x64_sys_sendmsg+0x42/0x50 net/socket.c:2572
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Link: https://lore.kernel.org/netdev/CAO4mrfdmjvRUNbDyP0R03_DrD_eFCLCguz6OxZ2TYRSv0K9gxA@mail.gmail.com/
Fixes: 2a2ea50870ba ("net: sched: add mpls manipulation actions to TC")
Reported-by: Wei Chen <harperchen1110@gmail.com>
Tested-by: Wei Chen <harperchen1110@gmail.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Link: https://lore.kernel.org/r/20230107171004.608436-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_mpls.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/sched/act_mpls.c b/net/sched/act_mpls.c
index d1486ea496a2..09799412b248 100644
--- a/net/sched/act_mpls.c
+++ b/net/sched/act_mpls.c
@@ -133,6 +133,11 @@ static int valid_label(const struct nlattr *attr,
{
const u32 *label = nla_data(attr);
+ if (nla_len(attr) != sizeof(*label)) {
+ NL_SET_ERR_MSG_MOD(extack, "Invalid MPLS label length");
+ return -EINVAL;
+ }
+
if (*label & ~MPLS_LABEL_MASK || *label == MPLS_LABEL_IMPLNULL) {
NL_SET_ERR_MSG_MOD(extack, "MPLS label out of range");
return -EINVAL;
@@ -144,7 +149,8 @@ static int valid_label(const struct nlattr *attr,
static const struct nla_policy mpls_policy[TCA_MPLS_MAX + 1] = {
[TCA_MPLS_PARMS] = NLA_POLICY_EXACT_LEN(sizeof(struct tc_mpls)),
[TCA_MPLS_PROTO] = { .type = NLA_U16 },
- [TCA_MPLS_LABEL] = NLA_POLICY_VALIDATE_FN(NLA_U32, valid_label),
+ [TCA_MPLS_LABEL] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
+ valid_label),
[TCA_MPLS_TC] = NLA_POLICY_RANGE(NLA_U8, 0, 7),
[TCA_MPLS_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
[TCA_MPLS_BOS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
--
2.35.1
next prev parent reply other threads:[~2023-01-16 16:14 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-16 15:51 [PATCH 5.10 00/64] 5.10.164-rc1 review Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 01/64] netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 02/64] ALSA: hda/realtek: Enable mute/micmute LEDs on HP Spectre x360 13-aw0xxx Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 03/64] KVM: arm64: Fix S1PTW handling on RO memslots Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 04/64] efi: tpm: Avoid READ_ONCE() for accessing the event log Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 05/64] docs: Fix the docs build with Sphinx 6.0 Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 06/64] perf auxtrace: Fix address filter duplicate symbol selection Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 07/64] s390/kexec: fix ipl report address for kdump Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 08/64] ASoC: qcom: lpass-cpu: Fix fallback SD line index handling Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 09/64] s390/cpum_sf: add READ_ONCE() semantics to compare and swap loops Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 10/64] s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 11/64] cifs: Fix uninitialized memory read for smb311 posix symlink create Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 12/64] drm/msm/adreno: Make adreno quirks not overwrite each other Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 13/64] drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 14/64] platform/x86: sony-laptop: Dont turn off 0x153 keyboard backlight during probe Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 15/64] ixgbe: fix pci device refcount leak Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 16/64] ipv6: raw: Deduct extension header length in rawv6_push_pending_frames Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 17/64] bus: mhi: host: Fix race between channel preparation and M0 event Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 18/64] iommu/amd: Add PCI segment support for ivrs_[ioapic/hpet/acpihid] commands Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 19/64] iommu/amd: Fix ill-formed ivrs_ioapic, ivrs_hpet and ivrs_acpihid options Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 20/64] clk: imx8mp: Add DISP2 pixel clock Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 21/64] clk: imx8mp: add clkout1/2 support Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 22/64] dt-bindings: clocks: imx8mp: Add ID for usb suspend clock Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 23/64] clk: imx: imx8mp: add shared clk gate for usb suspend clk Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 24/64] xhci: Avoid parsing transfer events several times Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 25/64] xhci: get isochronous ring directly from endpoint structure Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 26/64] xhci: adjust parameters passed to cleanup_halted_endpoint() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 27/64] xhci: Add xhci_reset_halted_ep() helper function Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 28/64] xhci: move xhci_td_cleanup so it can be called by more functions Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 29/64] xhci: store TD status in the td struct instead of passing it along Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 30/64] xhci: move and rename xhci_cleanup_halted_endpoint() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 31/64] xhci: Prevent infinite loop in transaction errors recovery for streams Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 32/64] usb: ulpi: defer ulpi_register on ulpi_read_id timeout Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 33/64] ext4: fix uninititialized value in ext4_evict_inode Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 34/64] xfrm: fix rcu lock in xfrm_notify_userpolicy() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 35/64] netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 36/64] powerpc/imc-pmu: Fix use of mutex in IRQs disabled section Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 37/64] x86/boot: Avoid using Intel mnemonics in AT&T syntax asm Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 38/64] EDAC/device: Fix period calculation in edac_device_reset_delay_period() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 39/64] regulator: da9211: Use irq handler when ready Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 40/64] ASoC: wm8904: fix wrong outputs volume after power reactivation Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 41/64] tipc: fix unexpected link reset due to discovery messages Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 42/64] octeontx2-af: Update get/set resource count functions Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 43/64] octeontx2-af: Map NIX block from CGX connection Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 44/64] octeontx2-af: Fix LMAC config in cgx_lmac_rx_tx_enable Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 45/64] hvc/xen: lock console list traversal Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 46/64] nfc: pn533: Wait for out_urbs completion in pn533_usb_send_frame() Greg Kroah-Hartman
2023-01-16 15:51 ` Greg Kroah-Hartman [this message]
2023-01-16 15:51 ` [PATCH 5.10 48/64] net/mlx5: Fix ptp max frequency adjustment range Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 49/64] net/mlx5e: Dont support encap rules with gbp option Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 50/64] mm: Always release pages to the buddy allocator in memblock_free_late() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 51/64] iommu/mediatek-v1: Add error handle for mtk_iommu_probe Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 52/64] iommu/mediatek-v1: Fix an error handling path in mtk_iommu_v1_probe() Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 53/64] Documentation: KVM: add API issues section Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 54/64] KVM: x86: Do not return host topology information from KVM_GET_SUPPORTED_CPUID Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 55/64] x86/resctrl: Use task_curr() instead of task_struct->on_cpu to prevent unnecessary IPI Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 56/64] x86/resctrl: Fix task CLOSID/RMID update race Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 57/64] arm64: atomics: format whitespace consistently Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 58/64] arm64: atomics: remove LL/SC trampolines Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 59/64] arm64: cmpxchg_double*: hazard against entire exchange variable Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 60/64] efi: fix NULL-deref in init error path Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 61/64] drm/virtio: Fix GEM handle creation UAF Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 62/64] io_uring/io-wq: free worker if task_work creation is canceled Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 63/64] io_uring/io-wq: only free worker if it was allocated for creation Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 64/64] Revert "usb: ulpi: defer ulpi_register on ulpi_read_id timeout" Greg Kroah-Hartman
2023-01-16 18:58 ` [PATCH 5.10 00/64] 5.10.164-rc1 review Daniel Díaz
2023-01-16 21:30 ` Pavel Machek
2023-01-17 9:32 ` Greg Kroah-Hartman
2023-01-16 23:58 ` Shuah Khan
2023-01-17 12:35 ` Sudip Mukherjee
2023-01-17 14:20 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230116154745.219284799@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexanderduyck@fb.com \
--cc=harperchen1110@gmail.com \
--cc=idosch@nvidia.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox