From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Lin Ma <linma@zju.edu.cn>,
Nikolay Aleksandrov <razor@blackwall.org>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 16/42] rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back
Date: Mon, 4 Mar 2024 21:23:43 +0000 [thread overview]
Message-ID: <20240304211538.178832501@linuxfoundation.org> (raw)
In-Reply-To: <20240304211537.631764077@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit 743ad091fb46e622f1b690385bb15e3cd3daf874 ]
In the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks
IFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logic
in the function `rtnl_bridge_setlink` to enable the loop to also check
the length of the IFLA_BRIDGE_MODE attribute. However, this adjustment
removed the `break` statement and led to an error logic of the flags
writing back at the end of this function.
if (have_flags)
memcpy(nla_data(attr), &flags, sizeof(flags));
// attr should point to IFLA_BRIDGE_FLAGS NLA !!!
Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS.
However, this is not necessarily true fow now as the updated loop will let
the attr point to the last NLA, even an invalid NLA which could cause
overflow writes.
This patch introduces a new variable `br_flag` to save the NLA pointer
that points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned
error logic.
Fixes: d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://lore.kernel.org/r/20240227121128.608110-1-linma@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/rtnetlink.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 021dcfdae2835..8938320f7ba3b 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -4903,10 +4903,9 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
struct net *net = sock_net(skb->sk);
struct ifinfomsg *ifm;
struct net_device *dev;
- struct nlattr *br_spec, *attr = NULL;
+ struct nlattr *br_spec, *attr, *br_flags_attr = NULL;
int rem, err = -EOPNOTSUPP;
u16 flags = 0;
- bool have_flags = false;
if (nlmsg_len(nlh) < sizeof(*ifm))
return -EINVAL;
@@ -4924,11 +4923,11 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC);
if (br_spec) {
nla_for_each_nested(attr, br_spec, rem) {
- if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !have_flags) {
+ if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !br_flags_attr) {
if (nla_len(attr) < sizeof(flags))
return -EINVAL;
- have_flags = true;
+ br_flags_attr = attr;
flags = nla_get_u16(attr);
}
@@ -4972,8 +4971,8 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
}
}
- if (have_flags)
- memcpy(nla_data(attr), &flags, sizeof(flags));
+ if (br_flags_attr)
+ memcpy(nla_data(br_flags_attr), &flags, sizeof(flags));
out:
return err;
}
--
2.43.0
next prev parent reply other threads:[~2024-03-04 21:34 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-04 21:23 [PATCH 5.10 00/42] 5.10.212-rc1 review Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 01/42] platform/x86: touchscreen_dmi: Allow partial (prefix) matches for ACPI names Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 02/42] crypto: virtio/akcipher - Fix stack overflow on memcpy Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 03/42] mtd: spinand: gigadevice: Support GD5F1GQ5UExxG Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 04/42] mtd: spinand: gigadevice: Fix the get ecc status issue Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 05/42] netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 06/42] net: ip_tunnel: prevent perpetual headroom growth Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 07/42] tun: Fix xdp_rxq_infos queue_index when detaching Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 08/42] ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 09/42] lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is detected Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 10/42] net: usb: dm9601: fix wrong return value in dm9601_mdio_read Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 11/42] Bluetooth: Avoid potential use-after-free in hci_error_reset Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 12/42] Bluetooth: hci_event: Fix wrongly recorded wakeup BD_ADDR Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 13/42] Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 14/42] Bluetooth: Enforce validation on max value of connection interval Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 15/42] netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() Greg Kroah-Hartman
2024-03-04 21:23 ` Greg Kroah-Hartman [this message]
2024-03-04 21:23 ` [PATCH 5.10 17/42] efi/capsule-loader: fix incorrect allocation size Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 18/42] power: supply: bq27xxx-i2c: Do not free non existing IRQ Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 19/42] ALSA: Drop leftover snd-rtctimer stuff from Makefile Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 20/42] afs: Fix endless loop in directory parsing Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 21/42] riscv: Sparse-Memory/vmemmap out-of-bounds fix Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 22/42] tomoyo: fix UAF write bug in tomoyo_write_control() Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 23/42] gtp: fix use-after-free and null-ptr-deref in gtp_newlink() Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 24/42] wifi: nl80211: reject iftype change with mesh ID change Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 25/42] btrfs: dev-replace: properly validate device names Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 26/42] dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 27/42] dmaengine: fsl-qdma: init irq after reg initialization Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 28/42] mmc: core: Fix eMMC initialization with 1-bit bus connection Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 29/42] mmc: sdhci-xenon: add timeout for PHY init complete Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 30/42] mmc: sdhci-xenon: fix PHY init clock stability Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 31/42] riscv: add CALLER_ADDRx support Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 32/42] pmdomain: qcom: rpmhpd: Fix enabled_corner aggregation Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 33/42] x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 34/42] mptcp: fix possible deadlock in subflow diag Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 35/42] ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks() Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 36/42] cachefiles: fix memory leak in cachefiles_add_cache() Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 37/42] fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 38/42] gpio: 74x164: Enable output pins after registers are reset Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 39/42] gpiolib: Fix the error path order in gpiochip_add_data_with_key() Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 40/42] gpio: fix resource unwinding order in error path Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 41/42] mtd: spinand: gigadevice: fix Quad IO for GD5F1GQ5UExxG Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 42/42] mptcp: fix double-free on socket dismantle Greg Kroah-Hartman
2024-03-05 9:05 ` [PATCH 5.10 00/42] 5.10.212-rc1 review Dominique Martinet
2024-03-05 10:23 ` Naresh Kamboju
2024-03-05 10:58 ` Jon Hunter
2024-03-05 11:23 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240304211538.178832501@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=linma@zju.edu.cn \
--cc=patches@lists.linux.dev \
--cc=razor@blackwall.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox