From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3CF50200CD; Mon, 4 Mar 2024 21:37:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709588248; cv=none; b=g7//IuDjMdrSWng/1nZvzwXLDjjm43bEZ+mIiAEjlYOwtNbKi3eKD7VtHD64q6zDtfg8DeljnKPlDy11VF2bWv8w+NFHEo2YtvA9YRVqTWHfZb6D2GvDXvUcCq3zsoAvNBE/12nUZCmEQOGdSRiCvthczKkatUpuR3loXBWtr4s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709588248; c=relaxed/simple; bh=jGQiqkpyMfbVa3gFypeWogx8uMRRzD/fuHBxle+g/5A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cblbBq4hWW9lIJAGsz5xSc9ykM3JILj4/TOhR/0mDBpSFgv5/FfEwf1jJ1hOJ1MaixdJHzB+ADUWXcbZeVPIXdvkMFO64SMAKk+XTZI1znYLIjWBdTLNOh0GmCeoYrvDYwwRyMJdvWBVSo3kqJWV9UN2yC0J+yr0NqkAD7ocKIs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=KQWNIqEZ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="KQWNIqEZ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7C1C8C433C7; Mon, 4 Mar 2024 21:37:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1709588247; bh=jGQiqkpyMfbVa3gFypeWogx8uMRRzD/fuHBxle+g/5A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KQWNIqEZ4ArNhCvycPNOKTQ1PuiZSzRdrAVt1XNAvtD3AJqvRbDcwlKDEjCgnuZGP SMYjvNRaUvrYPSKYldIjwOyHbNSVaRgNlqAx41gs/923VPny40uEY8TbbdAFSHqT/E 0TZMAobO34qjuook5SsR+A05O+iaU89oC0kMwXiY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Lin Ma , Nikolay Aleksandrov , Jakub Kicinski , Sasha Levin Subject: [PATCH 6.6 035/143] rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back Date: Mon, 4 Mar 2024 21:22:35 +0000 Message-ID: <20240304211551.057478495@linuxfoundation.org> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240304211549.876981797@linuxfoundation.org> References: <20240304211549.876981797@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Lin Ma [ Upstream commit 743ad091fb46e622f1b690385bb15e3cd3daf874 ] In the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logic in the function `rtnl_bridge_setlink` to enable the loop to also check the length of the IFLA_BRIDGE_MODE attribute. However, this adjustment removed the `break` statement and led to an error logic of the flags writing back at the end of this function. if (have_flags) memcpy(nla_data(attr), &flags, sizeof(flags)); // attr should point to IFLA_BRIDGE_FLAGS NLA !!! Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS. However, this is not necessarily true fow now as the updated loop will let the attr point to the last NLA, even an invalid NLA which could cause overflow writes. This patch introduces a new variable `br_flag` to save the NLA pointer that points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned error logic. Fixes: d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length") Signed-off-by: Lin Ma Acked-by: Nikolay Aleksandrov Link: https://lore.kernel.org/r/20240227121128.608110-1-linma@zju.edu.cn Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/core/rtnetlink.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index fcf331a447eee..e8bf481e80f72 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -5135,10 +5135,9 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, struct net *net = sock_net(skb->sk); struct ifinfomsg *ifm; struct net_device *dev; - struct nlattr *br_spec, *attr = NULL; + struct nlattr *br_spec, *attr, *br_flags_attr = NULL; int rem, err = -EOPNOTSUPP; u16 flags = 0; - bool have_flags = false; if (nlmsg_len(nlh) < sizeof(*ifm)) return -EINVAL; @@ -5156,11 +5155,11 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC); if (br_spec) { nla_for_each_nested(attr, br_spec, rem) { - if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !have_flags) { + if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !br_flags_attr) { if (nla_len(attr) < sizeof(flags)) return -EINVAL; - have_flags = true; + br_flags_attr = attr; flags = nla_get_u16(attr); } @@ -5204,8 +5203,8 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, } } - if (have_flags) - memcpy(nla_data(attr), &flags, sizeof(flags)); + if (br_flags_attr) + memcpy(nla_data(br_flags_attr), &flags, sizeof(flags)); out: return err; } -- 2.43.0