Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4822187ybl;
        Wed, 22 Jan 2020 05:24:29 -0800 (PST)
X-Google-Smtp-Source: APXvYqztmZg6tpvqSGu6HIc4e8BvpAINK4mpuyZ75rtIp0D6QuSd4CaFdY4pTzle+AO+Re300pI1
X-Received: by 2002:a9d:65da:: with SMTP id z26mr7213698oth.197.1579699469323;
        Wed, 22 Jan 2020 05:24:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1579699469; cv=none;
        d=google.com; s=arc-20160816;
        b=Sdk90RiECBizX6n0FfxTChE27ydUCudLawpGXUf6K+Wc+4gHwy4YMSlYBF0tSsV+tr
         PVdV2l/HRp25xeRL/wv2hazmcy/SYj4ZKSsR6M/nbzRH8CQ1K74mLMq0UMjZQjbTOPVx
         kbDJFoJxPRXKrwwozjklJthDNyPdsnOIIYEVuc0xgtG4PcUomFGKQYhePwMJBDzpCOU1
         brn/WD8/7XG+7/0b0Tie/9qMtfw5lfuN1Ldbg+2Z2vaHiYlr2z+eVOesOwTA7zWZ1Hia
         pIMFIOhZfw0ni3v9HMSj3J6h9jrs2CZJ8FROnLKSiaTl3Tp33GZpMGLcaWPxQRPj0NLS
         gdeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=faN5VsU8jk8aS7i6uVjlTzeZu7K5cPOjdjP1W1AHvm8=;
        b=BTvTOSfl+lb8UvkfouicTrLsQ0KmYec+lLlPR+6MWWhZXK42xQyyF4RT1pxusgIcHM
         5lAWFVBGuqrcq8QCT8SXu9xf7Np5uhC3VsDh/LGabWpMKJpOM5vOYVCbpSkLZYtU5lNy
         3TGqV5+UXGVp7sOLSyFHAshiXJmHoJIu8w2TPl1mFXzJCUZolrmAh/9Cyoae2ygBolmJ
         PXnxfMPoWdoBJf47QMnO/SvFR00GncqKrzjsTzbTfY/iQlZLAL6VV2n7O1HDkln0xd8l
         HGcJN0pkdQv7KJ0kn/nWf69c++q/5NWUwXB9yWc8DEH6zUlPxTap2Yg7YH4japdQR0UF
         ReOQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=BpLSDMEx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j20si22986789otp.147.2020.01.22.05.24.17;
        Wed, 22 Jan 2020 05:24:29 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=BpLSDMEx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730183AbgAVNXN (ORCPT <rfc822;lans.zhang2008@gmail.com>
        + 99 others); Wed, 22 Jan 2020 08:23:13 -0500
Received: from mail.kernel.org ([198.145.29.99]:41228 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730702AbgAVNXK (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 22 Jan 2020 08:23:10 -0500
Received: from localhost (unknown [84.241.205.26])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id E90032468A;
        Wed, 22 Jan 2020 13:23:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1579699389;
        bh=3WDM5bF8zuIRfVx0BpJ2iBhF3cBl5nL3PHzCgeCXHfU=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=BpLSDMEx32Pg8kLRhAEyNiny3idVT1Qvmz8dzcLCZ1w1b4A+yOVrZKfHadnKhfIjw
         IiTTdCBiqNOjLoK+vlkgbhqMT9+1JXOTndKOj/fqU7VFyyZSe6NAuq3WxQOVNGIgtj
         hWp14kn6xrE4tgOfkd5kWMWX8jrQPnA5DS5byWkg=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+0e63ae76d117ae1c3a01@syzkaller.appspotmail.com,
        Florian Westphal <fw@strlen.de>,
        Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 5.4 129/222] netfilter: nf_tables: remove WARN and add NLA_STRING upper limits
Date:   Wed, 22 Jan 2020 10:28:35 +0100
Message-Id: <20200122092842.985072809@linuxfoundation.org>
X-Mailer: git-send-email 2.25.0
In-Reply-To: <20200122092833.339495161@linuxfoundation.org>
References: <20200122092833.339495161@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Florian Westphal <fw@strlen.de>

commit 9332d27d7918182add34e8043f6a754530fdd022 upstream.

This WARN can trigger because some of the names fed to the module
autoload function can be of arbitrary length.

Remove the WARN and add limits for all NLA_STRING attributes.

Reported-by: syzbot+0e63ae76d117ae1c3a01@syzkaller.appspotmail.com
Fixes: 452238e8d5ffd8 ("netfilter: nf_tables: add and use helper for module autoload")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/nf_tables_api.c |   13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -22,6 +22,8 @@
 #include <net/net_namespace.h>
 #include <net/sock.h>
 
+#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
+
 static LIST_HEAD(nf_tables_expressions);
 static LIST_HEAD(nf_tables_objects);
 static LIST_HEAD(nf_tables_flowtables);
@@ -521,7 +523,7 @@ static void nft_request_module(struct ne
 	va_start(args, fmt);
 	ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
 	va_end(args);
-	if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
+	if (ret >= MODULE_NAME_LEN)
 		return;
 
 	mutex_unlock(&net->nft.commit_mutex);
@@ -1174,7 +1176,8 @@ static const struct nla_policy nft_chain
 				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
 	[NFTA_CHAIN_HOOK]	= { .type = NLA_NESTED },
 	[NFTA_CHAIN_POLICY]	= { .type = NLA_U32 },
-	[NFTA_CHAIN_TYPE]	= { .type = NLA_STRING },
+	[NFTA_CHAIN_TYPE]	= { .type = NLA_STRING,
+				    .len = NFT_MODULE_AUTOLOAD_LIMIT },
 	[NFTA_CHAIN_COUNTERS]	= { .type = NLA_NESTED },
 	[NFTA_CHAIN_FLAGS]	= { .type = NLA_U32 },
 };
@@ -2088,7 +2091,8 @@ static const struct nft_expr_type *nft_e
 }
 
 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
-	[NFTA_EXPR_NAME]	= { .type = NLA_STRING },
+	[NFTA_EXPR_NAME]	= { .type = NLA_STRING,
+				    .len = NFT_MODULE_AUTOLOAD_LIMIT },
 	[NFTA_EXPR_DATA]	= { .type = NLA_NESTED },
 };
 
@@ -3931,7 +3935,8 @@ static const struct nla_policy nft_set_e
 	[NFTA_SET_ELEM_USERDATA]	= { .type = NLA_BINARY,
 					    .len = NFT_USERDATA_MAXLEN },
 	[NFTA_SET_ELEM_EXPR]		= { .type = NLA_NESTED },
-	[NFTA_SET_ELEM_OBJREF]		= { .type = NLA_STRING },
+	[NFTA_SET_ELEM_OBJREF]		= { .type = NLA_STRING,
+					    .len = NFT_OBJ_MAXNAMELEN - 1 },
 };
 
 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {