From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Lin Ma <linma@zju.edu.cn>,
Nikolay Aleksandrov <razor@blackwall.org>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 11/25] rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back
Date: Mon, 4 Mar 2024 21:23:47 +0000 [thread overview]
Message-ID: <20240304211536.119148478@linuxfoundation.org> (raw)
In-Reply-To: <20240304211535.741936181@linuxfoundation.org>
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit 743ad091fb46e622f1b690385bb15e3cd3daf874 ]
In the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks
IFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logic
in the function `rtnl_bridge_setlink` to enable the loop to also check
the length of the IFLA_BRIDGE_MODE attribute. However, this adjustment
removed the `break` statement and led to an error logic of the flags
writing back at the end of this function.
if (have_flags)
memcpy(nla_data(attr), &flags, sizeof(flags));
// attr should point to IFLA_BRIDGE_FLAGS NLA !!!
Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS.
However, this is not necessarily true fow now as the updated loop will let
the attr point to the last NLA, even an invalid NLA which could cause
overflow writes.
This patch introduces a new variable `br_flag` to save the NLA pointer
that points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned
error logic.
Fixes: d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://lore.kernel.org/r/20240227121128.608110-1-linma@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/rtnetlink.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index bb1a273840775..ee599636f817f 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -4586,10 +4586,9 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
struct net *net = sock_net(skb->sk);
struct ifinfomsg *ifm;
struct net_device *dev;
- struct nlattr *br_spec, *attr = NULL;
+ struct nlattr *br_spec, *attr, *br_flags_attr = NULL;
int rem, err = -EOPNOTSUPP;
u16 flags = 0;
- bool have_flags = false;
if (nlmsg_len(nlh) < sizeof(*ifm))
return -EINVAL;
@@ -4607,11 +4606,11 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC);
if (br_spec) {
nla_for_each_nested(attr, br_spec, rem) {
- if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !have_flags) {
+ if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !br_flags_attr) {
if (nla_len(attr) < sizeof(flags))
return -EINVAL;
- have_flags = true;
+ br_flags_attr = attr;
flags = nla_get_u16(attr);
}
@@ -4655,8 +4654,8 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
}
}
- if (have_flags)
- memcpy(nla_data(attr), &flags, sizeof(flags));
+ if (br_flags_attr)
+ memcpy(nla_data(br_flags_attr), &flags, sizeof(flags));
out:
return err;
}
--
2.43.0
next prev parent reply other threads:[~2024-03-04 21:33 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-04 21:23 [PATCH 5.4 00/25] 5.4.271-rc1 review Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 01/25] netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 02/25] net: ip_tunnel: prevent perpetual headroom growth Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 03/25] tun: Fix xdp_rxq_infos queue_index when detaching Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 04/25] ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 05/25] lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is detected Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 06/25] net: usb: dm9601: fix wrong return value in dm9601_mdio_read Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 07/25] Bluetooth: Avoid potential use-after-free in hci_error_reset Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 08/25] Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 09/25] Bluetooth: Enforce validation on max value of connection interval Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 10/25] netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() Greg Kroah-Hartman
2024-03-04 21:23 ` Greg Kroah-Hartman [this message]
2024-03-04 21:23 ` [PATCH 5.4 12/25] efi/capsule-loader: fix incorrect allocation size Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 13/25] power: supply: bq27xxx-i2c: Do not free non existing IRQ Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 14/25] ALSA: Drop leftover snd-rtctimer stuff from Makefile Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 15/25] afs: Fix endless loop in directory parsing Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 16/25] gtp: fix use-after-free and null-ptr-deref in gtp_newlink() Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 17/25] wifi: nl80211: reject iftype change with mesh ID change Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 18/25] btrfs: dev-replace: properly validate device names Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 19/25] dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 20/25] dmaengine: fsl-qdma: init irq after reg initialization Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 21/25] mmc: core: Fix eMMC initialization with 1-bit bus connection Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 22/25] x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.4 23/25] cachefiles: fix memory leak in cachefiles_add_cache() Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.4 24/25] fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.4 25/25] gpio: 74x164: Enable output pins after registers are reset Greg Kroah-Hartman
2024-03-05 10:58 ` [PATCH 5.4 00/25] 5.4.271-rc1 review Jon Hunter
2024-03-05 19:08 ` Shuah Khan
2024-03-05 20:06 ` Harshit Mogalapalli
2024-03-05 20:19 ` Florian Fainelli
2024-03-06 10:47 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240304211536.119148478@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=linma@zju.edu.cn \
--cc=patches@lists.linux.dev \
--cc=razor@blackwall.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox