From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1DEDE7994A; Mon, 4 Mar 2024 21:28:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709587696; cv=none; b=MVT/56zpIphotmR/HYKTDvQtNSZYrROR16vwW93xLmZikEhSCZfcoGa98FLNpzG0+y1j52yP/25SUMeZK+qWWdsZPojvGhiEOVc3KtdP0GJCsjtnPEblr87ca4IkW0lAybd5lyr0dDtUOz6/B1VYyiqgbXOeAVPqbq9jeLyVn+Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709587696; c=relaxed/simple; bh=93MgnCzicdbIg1ZqWmsrjGdMeBjJFNsD4EYxw8UKKjM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ExhwfT/tTBt9pJ/ZNCowm0+dLK7qTE8w+vdRGzpmVj4FcxARRyxalmnibgXuXCb0DwhBDpj2ieZLt2UZFAUOalbsYfYiKCIRkkbSlItVBwK7ryTYNbGEYZ7904IEt/DpKpgNRn1khWYGYUlzdjpCSjAeZ/zMOde0vMLZRfzvAMs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=xdXXgzQO; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="xdXXgzQO" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 68953C433F1; Mon, 4 Mar 2024 21:28:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1709587695; bh=93MgnCzicdbIg1ZqWmsrjGdMeBjJFNsD4EYxw8UKKjM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xdXXgzQOvuF01WI3foVECvhaCx0IfLfHAQjIyna8TriLLbZ4pK7stghUitcUouUZG fLfRQl3WMkN2C3HifcnkF8XmM8hc/lBBBMeRAqBdPV4QcmSt3a5fW1gcuDIbe6jDQo iyh4HAkI0PvQEQuguQzV5AZNFCxXVosQwmySvPz0= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Lin Ma , Nikolay Aleksandrov , Jakub Kicinski , Sasha Levin Subject: [PATCH 6.7 037/162] rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back Date: Mon, 4 Mar 2024 21:21:42 +0000 Message-ID: <20240304211553.023090236@linuxfoundation.org> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240304211551.833500257@linuxfoundation.org> References: <20240304211551.833500257@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.7-stable review patch. If anyone has any objections, please let me know. ------------------ From: Lin Ma [ Upstream commit 743ad091fb46e622f1b690385bb15e3cd3daf874 ] In the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logic in the function `rtnl_bridge_setlink` to enable the loop to also check the length of the IFLA_BRIDGE_MODE attribute. However, this adjustment removed the `break` statement and led to an error logic of the flags writing back at the end of this function. if (have_flags) memcpy(nla_data(attr), &flags, sizeof(flags)); // attr should point to IFLA_BRIDGE_FLAGS NLA !!! Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS. However, this is not necessarily true fow now as the updated loop will let the attr point to the last NLA, even an invalid NLA which could cause overflow writes. This patch introduces a new variable `br_flag` to save the NLA pointer that points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned error logic. Fixes: d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length") Signed-off-by: Lin Ma Acked-by: Nikolay Aleksandrov Link: https://lore.kernel.org/r/20240227121128.608110-1-linma@zju.edu.cn Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/core/rtnetlink.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index bf4c3f65ad99c..8f9cd6b7926e3 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -5164,10 +5164,9 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, struct net *net = sock_net(skb->sk); struct ifinfomsg *ifm; struct net_device *dev; - struct nlattr *br_spec, *attr = NULL; + struct nlattr *br_spec, *attr, *br_flags_attr = NULL; int rem, err = -EOPNOTSUPP; u16 flags = 0; - bool have_flags = false; if (nlmsg_len(nlh) < sizeof(*ifm)) return -EINVAL; @@ -5185,11 +5184,11 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC); if (br_spec) { nla_for_each_nested(attr, br_spec, rem) { - if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !have_flags) { + if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !br_flags_attr) { if (nla_len(attr) < sizeof(flags)) return -EINVAL; - have_flags = true; + br_flags_attr = attr; flags = nla_get_u16(attr); } @@ -5233,8 +5232,8 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, } } - if (have_flags) - memcpy(nla_data(attr), &flags, sizeof(flags)); + if (br_flags_attr) + memcpy(nla_data(br_flags_attr), &flags, sizeof(flags)); out: return err; } -- 2.43.0