From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A6E7246BA0; Mon, 4 Mar 2024 21:33:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709588005; cv=none; b=NECarzBr4R3SoP/+Jz/9Ji4btYXGyjtz/t5Z8tNNBZ/wbOAEiz6zAaJyiLM6Tu7LsKVpox4ukYPdoux2xjoGPhRa/8teV7w/X8CSuaVHzyPRJ+qx3uGRxF8y50Frc5PWakRPEqDRjdrAxBoxoKh0XGzUzuXXxE3T0fGCK+t2a8I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709588005; c=relaxed/simple; bh=CC9BkcDaGEotCKVIFtAVv5Luf93OK7xSeSCGFjwdoSA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=pUobmtX6ZzqSNMsT6Y04PEG70PVKuFpzqDaz72YVUx8UoS7y0SEe3BSoA29vku0+qLlWGe/mbkRsg1Q6nVOGQMnLF7t4HVZZS37cno2fEa/qmDpUMoKVu7MKv3ic2PY2owlxK7pMQ2ltWXf1cQoohDFPZ+SzeAYHx3nNtzT7m2M= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ckm1en/j; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ckm1en/j" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 394DAC433C7; Mon, 4 Mar 2024 21:33:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1709588005; bh=CC9BkcDaGEotCKVIFtAVv5Luf93OK7xSeSCGFjwdoSA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ckm1en/jwnByJx2DfPL3vyzszBd2/Nlporce4xcyc6estdFTY3LJsMLPzu4GeZ/Ko sAbmlMpU4aIv9TpG3ijk24DMyPsLS9MaWI7Od0u4Q8SDmsZDnMCVCevsbP6tuWAjgT 5FA1uhIY2QLk2Bn019vXLjqyiDMuqhI4D6LXVTr8= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Lin Ma , Nikolay Aleksandrov , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.4 11/25] rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back Date: Mon, 4 Mar 2024 21:23:47 +0000 Message-ID: <20240304211536.119148478@linuxfoundation.org> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240304211535.741936181@linuxfoundation.org> References: <20240304211535.741936181@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Lin Ma [ Upstream commit 743ad091fb46e622f1b690385bb15e3cd3daf874 ] In the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logic in the function `rtnl_bridge_setlink` to enable the loop to also check the length of the IFLA_BRIDGE_MODE attribute. However, this adjustment removed the `break` statement and led to an error logic of the flags writing back at the end of this function. if (have_flags) memcpy(nla_data(attr), &flags, sizeof(flags)); // attr should point to IFLA_BRIDGE_FLAGS NLA !!! Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS. However, this is not necessarily true fow now as the updated loop will let the attr point to the last NLA, even an invalid NLA which could cause overflow writes. This patch introduces a new variable `br_flag` to save the NLA pointer that points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned error logic. Fixes: d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length") Signed-off-by: Lin Ma Acked-by: Nikolay Aleksandrov Link: https://lore.kernel.org/r/20240227121128.608110-1-linma@zju.edu.cn Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/core/rtnetlink.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index bb1a273840775..ee599636f817f 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -4586,10 +4586,9 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, struct net *net = sock_net(skb->sk); struct ifinfomsg *ifm; struct net_device *dev; - struct nlattr *br_spec, *attr = NULL; + struct nlattr *br_spec, *attr, *br_flags_attr = NULL; int rem, err = -EOPNOTSUPP; u16 flags = 0; - bool have_flags = false; if (nlmsg_len(nlh) < sizeof(*ifm)) return -EINVAL; @@ -4607,11 +4606,11 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC); if (br_spec) { nla_for_each_nested(attr, br_spec, rem) { - if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !have_flags) { + if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !br_flags_attr) { if (nla_len(attr) < sizeof(flags)) return -EINVAL; - have_flags = true; + br_flags_attr = attr; flags = nla_get_u16(attr); } @@ -4655,8 +4654,8 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, } } - if (have_flags) - memcpy(nla_data(attr), &flags, sizeof(flags)); + if (br_flags_attr) + memcpy(nla_data(br_flags_attr), &flags, sizeof(flags)); out: return err; } -- 2.43.0