Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp714069imm; Thu, 13 Sep 2018 06:42:58 -0700 (PDT) X-Google-Smtp-Source: ANB0VdY3v21bLjAlgJpJtnlykNtgQBSD9W7ubtfWYtT1Edqeh1zd9r0nvKd+rC7tJZbN5JY77thP X-Received: by 2002:a63:ac54:: with SMTP id z20-v6mr7082785pgn.74.1536846178869; Thu, 13 Sep 2018 06:42:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536846178; cv=none; d=google.com; s=arc-20160816; b=jU3w7bxZtUMMbXDOMcqKfgR1kW5KjCaVPlOxmIN2V80ywWaJAFg0qATapUjjMTJ6KS FDvRt6TQpqW5xyC2iq0SmTMJzllWLYxjV3iZTUuq4m63UrZGjH1BcKvvHibCuS2nWdsM rDrsM6d3pk7dK1JqeSRvZqZiBNYnbmN8GY1bgBNYqat2F5tRTX1u2YfG3jCn4hQAl39d upYPr8pQMwU2E5BXcCr9tXVWA+tsdiAsC8ga39IiDdcWsO8+SpU4aohgRn5u5dRbwewO qqzyIjDzh6n7tH/hmBT1QKYVsW8eRrfN2Z1E/P67zS0UelSy6FGmsO63U47zs8NgWtLd QkBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=q/6G0WmvQzUorYA/6Gqk3PT6tip+uFSdnNRBsGkaIMM=; b=JQSN9T++SODXZPD1me6j6vCmaKR2Ikwn0aerLaPzTjjgxqk7A1k1J7FdUsuAILcnL+ b895AIHJY2yU1jqdjc64qZpwbPydAuc9CcdilpGM3HTMZVJ3K4UDA5xW3mzmG/h9iRRh +TcP7uIphBo8JbjhKwIRr3nevmrAuPB3qG8lG+d3yhGWmTfk5RUeXH9Ygq5rj51KxS1X uEoZNCpo4TF+76O8/1rIPtoDOo0BmBYsnBYn8+P5CV8zAIhGeDl35zG7ilSnnab+yUVZ j2m5AssgNXXWejTZcOImINwXyZSk/mgRPvJaagvUOi5xNphR1pU9GKiknbfcq2IKKjS3 b8Cg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s17-v6si4165542pge.99.2018.09.13.06.42.44; Thu, 13 Sep 2018 06:42:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729718AbeIMSvj (ORCPT + 99 others); Thu, 13 Sep 2018 14:51:39 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:60108 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728864AbeIMSvj (ORCPT ); Thu, 13 Sep 2018 14:51:39 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 87F15D1A; Thu, 13 Sep 2018 13:42:06 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Al Viro , Jamal Hadi Salim , Cong Wang , Jiri Pirko , "David S. Miller" , netdev@vger.kernel.org, Kees Cook Subject: [PATCH 4.14 005/115] net: sched: Fix memory exposure from short TCA_U32_SEL Date: Thu, 13 Sep 2018 15:30:25 +0200 Message-Id: <20180913131823.764057239@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180913131823.327472833@linuxfoundation.org> References: <20180913131823.327472833@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kees Cook [ Upstream commit 98c8f125fd8a6240ea343c1aa50a1be9047791b8 ] Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink policy, so max length isn't enforced, only minimum. This means nkeys (from userspace) was being trusted without checking the actual size of nla_len(), which could lead to a memory over-read, and ultimately an exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within a namespace. Reported-by: Al Viro Cc: Jamal Hadi Salim Cc: Cong Wang Cc: Jiri Pirko Cc: "David S. Miller" Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sched/cls_u32.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c @@ -903,6 +903,7 @@ static int u32_change(struct net *net, s struct nlattr *opt = tca[TCA_OPTIONS]; struct nlattr *tb[TCA_U32_MAX + 1]; u32 htid, flags = 0; + size_t sel_size; int err; #ifdef CONFIG_CLS_U32_PERF size_t size; @@ -1024,8 +1025,11 @@ static int u32_change(struct net *net, s return -EINVAL; s = nla_data(tb[TCA_U32_SEL]); + sel_size = sizeof(*s) + sizeof(*s->keys) * s->nkeys; + if (nla_len(tb[TCA_U32_SEL]) < sel_size) + return -EINVAL; - n = kzalloc(sizeof(*n) + s->nkeys*sizeof(struct tc_u32_key), GFP_KERNEL); + n = kzalloc(offsetof(typeof(*n), sel) + sel_size, GFP_KERNEL); if (n == NULL) return -ENOBUFS; @@ -1038,7 +1042,7 @@ static int u32_change(struct net *net, s } #endif - memcpy(&n->sel, s, sizeof(*s) + s->nkeys*sizeof(struct tc_u32_key)); + memcpy(&n->sel, s, sel_size); RCU_INIT_POINTER(n->ht_up, ht); n->handle = handle; n->fshift = s->hmask ? ffs(ntohl(s->hmask)) - 1 : 0;