Received: by 2002:a05:6358:701b:b0:131:369:b2a3 with SMTP id 27csp1842728rwo; Sun, 23 Jul 2023 01:38:57 -0700 (PDT) X-Google-Smtp-Source: APBJJlErwlo0inU5nFU3c57X3cgXZ/q0BPZXg/F4TstSA71AQ7gPBp8+BGnb4B59yvGZf9nl6Kvt X-Received: by 2002:a05:6a20:12c6:b0:133:3682:3cdf with SMTP id v6-20020a056a2012c600b0013336823cdfmr6226391pzg.11.1690101537633; Sun, 23 Jul 2023 01:38:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690101537; cv=none; d=google.com; s=arc-20160816; b=Ua6e+WGJcM3ee+DerveMuFM0GjwBQBomXd93c5K6aS6vnDi5pXcWlM/JDsgU+prx0+ zP7W3bCF3ldN7knHQ/WSNSDTILmT+lWF7bqU1JgUYs2EsZCbTcM7q+2Zd6kz0SJBnEbk AgfuVtob3FXMn3S7IA5ykI4gvrdjZRmBY0eUaqvDEDdhOA7e0V/7PLswqe82uU8u/jv4 AhABM+Dniy4uDKU4IRq+qp16o2u/SAexr1uIuxT/oDWPv6F/dsJ3RW90Wx6unCor26hz 9SBJ3+BUDXJrTPgntJaB95CBq4wNRgvwN+HWbsNlOnGCefKmajz1XVEDln1rGTL27LcJ 4i7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from; bh=Xelzl0XVaUxvICFQuPTcY7pIBn4FjOe4VJAfkMPY8E0=; fh=9Ljk4FolRSTCOlMZT9CASKLTMJFwHe5KlmKhnYr8clI=; b=JzyKVEkJ1MOf7aweRARmPKPW2XDK/ZYWObGorUeybPLFeAb98v1CNu7azLKtRA5RPw zTZeLJ17UJWm/DTnRi/exrghYAC0zd1x4kMMwZjaP7E8C63GQygwATeUvvXHKoVcvsIC m41JiI1832VNAgKzYeMLuqt1NEaGG35P0IWkHvq1Bi8Lc9i2BDLbYP4imC+ArpZL+z5v 67IXyB4mjYtslHqkPSVQR9KwdgOL7oITvfgkR5NiAoV4lW97CWPFYwBw+8A3T/pZrw2K xPQhJfdvQfCjUA5E7XFh+y0zQDoZz2l8DasVIicQUW9ZbTZNpEZKmxc5AJkWU4VnAeLt Xd6Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t10-20020a63b70a000000b0055a5434684bsi6463140pgf.106.2023.07.23.01.38.44; Sun, 23 Jul 2023 01:38:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229576AbjGWHzT (ORCPT + 99 others); Sun, 23 Jul 2023 03:55:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48444 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229468AbjGWHzS (ORCPT ); Sun, 23 Jul 2023 03:55:18 -0400 Received: from zg8tmtu5ljg5lje1ms4xmtka.icoremail.net (zg8tmtu5ljg5lje1ms4xmtka.icoremail.net [159.89.151.119]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D85BCB1; Sun, 23 Jul 2023 00:55:16 -0700 (PDT) Received: from localhost.localdomain (unknown [39.174.92.167]) by mail-app3 (Coremail) with SMTP id cC_KCgDX3w_O3LxkGlx_Cw--.18759S4; Sun, 23 Jul 2023 15:54:54 +0800 (CST) From: Lin Ma To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ast@kernel.org, martin.lau@kernel.org, yhs@fb.com, andrii@kernel.org, void@manifault.com, houtao1@huawei.com, laoar.shao@gmail.com, inwardvessel@gmail.com, kuniyu@amazon.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org Cc: Lin Ma Subject: [PATCH v1] bpf: Add length check for SK_DIAG_BPF_STORAGE_REQ_MAP_FD parsing Date: Sun, 23 Jul 2023 15:54:52 +0800 Message-Id: <20230723075452.3711158-1-linma@zju.edu.cn> X-Mailer: git-send-email 2.17.1 X-CM-TRANSID: cC_KCgDX3w_O3LxkGlx_Cw--.18759S4 X-Coremail-Antispam: 1UD129KBjvdXoWrZw43WF17XFyDXr4UGFyrXrb_yoWDtrg_ua 1UXa48Z3WjgFWUX3W5Gay3Xr1xKr15ZFn5C3s8tFW7Kws0vay8XF48ArZIvFy7Gr4YvF17 Jr98ZFyxXa1a9jkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbVkFF20E14v26ryj6rWUM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_tr0E3s1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr1j 6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0 I7IYx2IY67AKxVWUXVWUAwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r 4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwACI402YVCY1x02628v n2kIc2xKxwCY02Avz4vE14v_GF4l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr 0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY 17CE14v26r4a6rW5MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcV C0I7IYx2IY6xkF7I0E14v26F4j6r4UJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAI cVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2Kf nxnUUI43ZEXa7VUbqNt7UUUUU== X-CM-SenderInfo: qtrwiiyqvtljo62m3hxhgxhubq/ X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The nla_for_each_nested parsing in function bpf_sk_storage_diag_alloc does not check the length of the nested attribute. This can lead to an out-of-attribute read and allow a malformed nlattr (e.g., length 0) to be viewed as a 4 byte integer. This patch adds additional check before the execution of nla_get_u32 to make sure the attribute has enough length. Fixes: 1ed4d92458a9 ("bpf: INET_DIAG support in bpf_sk_storage") Signed-off-by: Lin Ma --- net/core/bpf_sk_storage.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c index d4172534dfa8..6f1afbb394a6 100644 --- a/net/core/bpf_sk_storage.c +++ b/net/core/bpf_sk_storage.c @@ -511,6 +511,11 @@ bpf_sk_storage_diag_alloc(const struct nlattr *nla_stgs) if (nla_type(nla) != SK_DIAG_BPF_STORAGE_REQ_MAP_FD) continue; + if (nla_len(nla) < sizeof(map_fd)) { + err = -EINVAL; + goto err_free; + } + map_fd = nla_get_u32(nla); map = bpf_map_get(map_fd); if (IS_ERR(map)) { -- 2.17.1