Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp5239102imm; Sun, 26 Aug 2018 14:24:27 -0700 (PDT) X-Google-Smtp-Source: ANB0VdaYAcL2togSvv7rHVHXOriHTmGGxqCxoJRs6TpeLxfq2oniG0/e6bIxR4i5c5ZJUbPatZeE X-Received: by 2002:a62:8c8c:: with SMTP id m134-v6mr11397765pfd.130.1535318667479; Sun, 26 Aug 2018 14:24:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535318667; cv=none; d=google.com; s=arc-20160816; b=TjUZ2YZTrr70lrpSEml/tR5lnQzUAdwzRM4rjmUc6cTgx3bltSkoEWKnA+gTu4ZeeL USTqaToepjm3dHshilp9y3ob3pjgCaUGy+7mlrcvXbuolvUIcs+Fwx8qiknn1eTze5zq anj54V1pQyFmPfVVmF5wnsZ8HkjSApONAvGMTQMS0dUogkdTjYJ6HoeOQP82S1ngOZgm 7RqZ9XcW9DNWwnHi1xhuSEP053TLvVGeAktzDsgDAjh2+as1WS+/XLHnbnDPVeRyoMt9 wmLbVO7kKsiBGbuIeo9wE3T1u4LjMNn+EuHuZFP316ccekV3/sigxVZQltY3VvdWEVuD UX0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date :arc-authentication-results; bh=2Sw1ow6CAa7pnBXpn57V+xL5guIU8FjWmOMMvrj0I+4=; b=E40lxMFpZWm7dLv8SVc0r3PvQEp+Rc1G/Sdhw9IX0ChLFhi1QKbPhKM2NW3MWOynU/ aYTJs+Gf2LANFVgfAtK4/AJYdFFgif7aD5SCKKp2CPaxOa9GTG2FZMOIivm6RmmE+j6O VNZwO66Tdc1F86IoZZPdZVMOQbgBrAF7un5uG/BohyIJSM6U0b2irMzHAfjv8l1q406I Sng+3b1Un2Ox+fKUv1AsLm8Y3TZcoFYP/Cpj9t8amuru2meH3xYArbPZMm8yKF2h4yHG CSxiG+y76uBs5hXTUqHcs/1rhjj4yHYg2uCpA3CYKFDovO+tDlJvDheR2/mU77qg+f/g gLAQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t71-v6si12814231pfi.221.2018.08.26.14.24.12; Sun, 26 Aug 2018 14:24:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726988AbeH0BGm (ORCPT + 99 others); Sun, 26 Aug 2018 21:06:42 -0400 Received: from shards.monkeyblade.net ([23.128.96.9]:46176 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726751AbeH0BGm (ORCPT ); Sun, 26 Aug 2018 21:06:42 -0400 Received: from localhost (unknown [70.97.65.230]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id EC156146C38B0; Sun, 26 Aug 2018 14:22:56 -0700 (PDT) Date: Sun, 26 Aug 2018 14:22:52 -0700 (PDT) Message-Id: <20180826.142252.1150683531522716249.davem@davemloft.net> To: keescook@chromium.org Cc: linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk, jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, netdev@vger.kernel.org Subject: Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL From: David Miller In-Reply-To: <20180826055801.GA42063@beast> References: <20180826055801.GA42063@beast> X-Mailer: Mew version 6.7 on Emacs 26 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Sun, 26 Aug 2018 14:22:57 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook Date: Sat, 25 Aug 2018 22:58:01 -0700 > Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink > policy, so max length isn't enforced, only minimum. This means nkeys > (from userspace) was being trusted without checking the actual size of > nla_len(), which could lead to a memory over-read, and ultimately an > exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within > a namespace. > > Reported-by: Al Viro > Signed-off-by: Kees Cook I'll apply this as-is and queued it up for -stable. If we want to avoid sizeof(*p) type stuff, it can be done as a follow-up. Thanks.