Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp4614157imm; Sat, 25 Aug 2018 22:59:25 -0700 (PDT) X-Google-Smtp-Source: ANB0VdaApQ5TL8/1tXWVtz64HH2mybpjK1AIJ0XtC2bqde1HVzsXe1nTEM+X4KpqGmjvtBpZ4OwY X-Received: by 2002:a17:902:ac1:: with SMTP id 59-v6mr8038143plp.18.1535263165311; Sat, 25 Aug 2018 22:59:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535263165; cv=none; d=google.com; s=arc-20160816; b=NoSI6bmFoqSLWA6Upo26XuMfg66jflqghR3ZfSiCUBmbAjdapDnCIOd9uo0ytv9roW cbPatPSYVv+igSBTpNtUp0WGrdI+cBsYDy8tXvF9l+4HLuvDdzSw3W34yyz1BjAiL739 6JROn4lEu68kAuvN1KXdvcowaqCOlxb5C3Lb3b2utVecsw/j/Tm6wl18wWbKJg9Hj8fP 3JJJyWSUmrPoxns/69Up0y6L16RwQMIv2PEJNt+m3Ysvbh/et05ZwEB9qzWsMltGUZQN ThNFUAI8Ue/qQ7gdBAG7/TvVePCP8t5PKVrR/2V5fTNOLxlRE+gc/2ZMTTULfNi5twdC uThQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition:mime-version :message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=AkagPnxDpVrAzllDBHb9Cd+YDId70uSkhKXJ2KEDkuU=; b=I/7aYT8CgBw7Y6134xlcGRC8u6SKk/Ec5uTYR8vRN0vAMJhndwoqXuQcGEiML+VqhG Hyn+qHqfBVZBvoPu2P3pUj1K+mXFPjLyROkXbnwtC6q1jbjZe9Qrr0d694tDPg8ilSn2 LmguD/UnmNQc+yRpkJPCm1dsjABhtDmm7Lenz9b1q2BnRhy6GGHJiYCqU5m4uGRMH7Ba 59CzoPblXS8hLYtxd9pt/TJdIrM/b4SA6rv7cc58kedhtYnntr9jCp6MSeao32bYbqZ1 Vge2JU4bHpiwtp7UKcnnrR8cPIdbq3HFkDFOJTlln1HLZ8DcWcNtAUaBJK3BNb/XmWUt XLfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=FNrMYqdJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c8-v6si10169914pls.407.2018.08.25.22.59.09; Sat, 25 Aug 2018 22:59:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=FNrMYqdJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726793AbeHZJjb (ORCPT + 99 others); Sun, 26 Aug 2018 05:39:31 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:37156 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726245AbeHZJjb (ORCPT ); Sun, 26 Aug 2018 05:39:31 -0400 Received: by mail-pg1-f193.google.com with SMTP id h8-v6so6016252pgs.4 for ; Sat, 25 Aug 2018 22:58:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=AkagPnxDpVrAzllDBHb9Cd+YDId70uSkhKXJ2KEDkuU=; b=FNrMYqdJZ4lzfwQav84fKtbWhbfogYm13bsprXS3JoiaLAzb0fFsr89JmiERhl5oBL dGCDM/ZJ1RDjopmqX7yPybMhYssOHrPDKGXDtAiUqmy7vPC8zKOk00E31N5oDdvi0u7k 8Ce4NgS+5/zKpBelsCy3SodjIpiSJRzpjWCkc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=AkagPnxDpVrAzllDBHb9Cd+YDId70uSkhKXJ2KEDkuU=; b=KkYnlvLLsFfgLMW8Mwo4Jlj/mDu/l9aiqWsGXgbI/vkYOt3VInsR/ZaXbl2TRI+gAh tfytnVeUkqoGg0VlqjPXjb8NYwTqmfV8+78fcgP3aN68Q6Evi3z/Eeqz9OFYkigmCDZx ruRGmQZ9TUt3UigleyzJ9r7JVioHNZ0wPZaN1wonyMEEmE3bAgQx40q2S/86w3mluq9b IRMj/po1Z84vXHVVgxYPQ/GH3JoM49HW0a/NZPxZ/JzSgB410hgk5ruzlgaMb2FLjW/6 kypySKTFIhpyfkOdLe9JLMRiaNWwxLMdXymA+nVKpG3Nv/cnARur96VzW6+KRL3MZMHZ 0XhQ== X-Gm-Message-State: APzg51C8zSXfeS9SogPeud7iNOzEA9WukKdCWyYF3iwNIZEv0D0hQqg4 w76tQvtR/mF73Sk4U3WiyskbVg== X-Received: by 2002:a62:591a:: with SMTP id n26-v6mr8817584pfb.94.1535263083685; Sat, 25 Aug 2018 22:58:03 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id n18-v6sm18231605pfa.50.2018.08.25.22.58.02 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 25 Aug 2018 22:58:02 -0700 (PDT) Date: Sat, 25 Aug 2018 22:58:01 -0700 From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Al Viro , Jamal Hadi Salim , Cong Wang , Jiri Pirko , "David S. Miller" , netdev@vger.kernel.org Subject: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL Message-ID: <20180826055801.GA42063@beast> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink policy, so max length isn't enforced, only minimum. This means nkeys (from userspace) was being trusted without checking the actual size of nla_len(), which could lead to a memory over-read, and ultimately an exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within a namespace. Reported-by: Al Viro Cc: Jamal Hadi Salim Cc: Cong Wang Cc: Jiri Pirko Cc: "David S. Miller" Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- This should go through -stable please, but I have left off the "Cc: stable" as per netdev patch policy. Note that use of struct_size() will need manual expansion in backports, such as: sel_size = sizeof(*s) + sizeof(*s->keys) * s->nkeys; --- net/sched/cls_u32.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c index d5d2a6dc3921..f218ccf1e2d9 100644 --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c @@ -914,6 +914,7 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, struct nlattr *opt = tca[TCA_OPTIONS]; struct nlattr *tb[TCA_U32_MAX + 1]; u32 htid, flags = 0; + size_t sel_size; int err; #ifdef CONFIG_CLS_U32_PERF size_t size; @@ -1076,8 +1077,13 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, } s = nla_data(tb[TCA_U32_SEL]); + sel_size = struct_size(s, keys, s->nkeys); + if (nla_len(tb[TCA_U32_SEL]) < sel_size) { + err = -EINVAL; + goto erridr; + } - n = kzalloc(sizeof(*n) + s->nkeys*sizeof(struct tc_u32_key), GFP_KERNEL); + n = kzalloc(offsetof(typeof(*n), sel) + sel_size, GFP_KERNEL); if (n == NULL) { err = -ENOBUFS; goto erridr; @@ -1092,7 +1098,7 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, } #endif - memcpy(&n->sel, s, sizeof(*s) + s->nkeys*sizeof(struct tc_u32_key)); + memcpy(&n->sel, s, sel_size); RCU_INIT_POINTER(n->ht_up, ht); n->handle = handle; n->fshift = s->hmask ? ffs(ntohl(s->hmask)) - 1 : 0; -- 2.17.1 -- Kees Cook Pixel Security