Received: by 2002:a05:6358:701b:b0:131:369:b2a3 with SMTP id 27csp4573493rwo;
        Tue, 25 Jul 2023 08:01:42 -0700 (PDT)
X-Google-Smtp-Source: APBJJlHD42YB1i/CZl96mF3ycdX//S2V1T4ETh6Of73anZRVxArTrelgKvazZ21DeYtUYjyk6lob
X-Received: by 2002:a17:90a:8b0e:b0:263:f590:f231 with SMTP id y14-20020a17090a8b0e00b00263f590f231mr10648291pjn.26.1690297301883;
        Tue, 25 Jul 2023 08:01:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690297301; cv=none;
        d=google.com; s=arc-20160816;
        b=fTYwkzdbKZiR9LpAMcrVA8Z6n4pP4fOPYg97VJ1PyQ07VSRMmP/bPE7+AdhsOGXgIa
         nJQttDvKpupKGvEuJt08r8YSlH/OoWSjpYHPtuh2aEjG2Y0A3FdQe3dTOLyBuC5iChS3
         i2xdSNxZH2qNhMSFYknE0Nx2wxjpNnnr1ER/OgoQOexB0rAlFuozIaAryvcuvtuftMjx
         nWBEabTZG/DsMBF6lMhzvG6qBORw6UvnvB8RhHrr7pp9zXngwgPSv1/YYHNAC8HaiewW
         rmR0XfmZSJuJXnvdV7yTzef1stve1vc+DROvFkVpHyCq7E+GZRslvdarz7ceBftxNS7i
         ZdYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :content-language:references:to:subject:user-agent:mime-version:date
         :message-id:dkim-signature;
        bh=QeJ+8u8ZaYUwpLiyi+CCaKydAPqb727pDz7pLVQc0Og=;
        fh=fFdDyEYEuy78N88SWeQa1WR+nEWRYc1U+1qEV0biOAw=;
        b=UoNQNm3w5a9rxQmhcOc0suRMtHpLavz3K7QRaVo/t/mreDQsF4PdK+AdzACBvu6MB1
         AQCy4O3tkigf+hQ/4S5Oqjaxw+B5pewRWb608wgX6pazkPCPZVVUornT6umguVL/CdMe
         KYsUyueQj5PVBuqZcNgcTl0iKIdphY/g2bByEAbXJrNfH+G+DveMC5uqlEXbzBefs9nQ
         W2XRZ23jS9qHyE7OwWO7zyBMMJI/yvZZbivjeVdHerB9+zH814jrGAVshqKTHMe18690
         EJOmt2fseAUCL+nQoHrA21Od40i5VT/UrlBRxDNtny1S4oaKY07TKXtWM+ysEjiB8+wr
         K80A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@blackwall-org.20221208.gappssmtp.com header.s=20221208 header.b=phE16iwC;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id b6-20020a17090a6e0600b00267f33cf006si7439582pjk.67.2023.07.25.08.01.27;
        Tue, 25 Jul 2023 08:01:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@blackwall-org.20221208.gappssmtp.com header.s=20221208 header.b=phE16iwC;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233176AbjGYObO (ORCPT <rfc822;andrew.melo@gmail.com>
        + 99 others); Tue, 25 Jul 2023 10:31:14 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43056 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233179AbjGYOar (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 25 Jul 2023 10:30:47 -0400
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 871D226A2
        for <linux-kernel@vger.kernel.org>; Tue, 25 Jul 2023 07:30:35 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id 38308e7fff4ca-2b734aea34aso81203451fa.0
        for <linux-kernel@vger.kernel.org>; Tue, 25 Jul 2023 07:30:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=blackwall-org.20221208.gappssmtp.com; s=20221208; t=1690295433; x=1690900233;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:to:subject:user-agent:mime-version:date:message-id:from
         :to:cc:subject:date:message-id:reply-to;
        bh=QeJ+8u8ZaYUwpLiyi+CCaKydAPqb727pDz7pLVQc0Og=;
        b=phE16iwCP31NqrlalixrwUIhuGyz7U0E5Y0skNncWEjB2mPNscOndY0shE0gYzdtAU
         jj7Mqm1ohFxtjGGh6OVLBA6AjHcIsWRo+/pUpkh1pRhIiVynC5g15qj/kmFdslgdEPjP
         ZoJEdEli/309kprYOVGjdq8EJ+Y7b7i2/QOr2PwEdLWyYf1+ypNr66Db1NmP2ih/v/lZ
         pzFhUaBMVR0I3HxTNy2xbYptBHK8IHpHGKce1buo3UHXtWBGvjmAjBQ871KZcW5WAVXf
         1O91WaEfDO96SSHQ6QXBMKW14FCNPqkK+/BqE1aFg/Qo32mBCh1APXwgs/RcGzT/2cNp
         xjBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1690295433; x=1690900233;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:to:subject:user-agent:mime-version:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=QeJ+8u8ZaYUwpLiyi+CCaKydAPqb727pDz7pLVQc0Og=;
        b=SttvG49K5IUzjUwbDm1jKABdvdsd7cLqlruZsAWj0x05Yx+6qXCM16cqW91dv2YfGP
         9yNOrDjOpeIu/qPnzdNwGwIQiUJs18s+TZ5gOw2o+nO/jSkd6OfBWp5mGh+nNQfyKqHS
         fjWbKU1n6sa/sbQmDPTXy4NAWAryhc3Tac0b47BxtyrI8VybDLjBdhfQzz7RCHDHbmmN
         ipEKLaureGiF7ccDH2fQcIsZubVUlBEpUswXvmgfW0D2HXDOyCLxPV8cmioFIjfTG0it
         420zmcy7Rd2SvBUBpbjqfAZ17bc5ePyfhCMEabm5LCRahKlK8hvSuVBKDin1aNFZP18S
         lTQg==
X-Gm-Message-State: ABy/qLaU22061WTdu0F6e1L0c3MW1XF+bwSlaYleD23vrVPCwBUtnoCE
        brmFujerFG8f89SJYSKXFR/GSA==
X-Received: by 2002:a2e:9650:0:b0:2b6:fa54:cec1 with SMTP id z16-20020a2e9650000000b002b6fa54cec1mr9474682ljh.48.1690295433490;
        Tue, 25 Jul 2023 07:30:33 -0700 (PDT)
Received: from [192.168.1.2] (handbookness.lineup.volia.net. [93.73.104.44])
        by smtp.gmail.com with ESMTPSA id n13-20020a170906378d00b0099b4ec39a19sm8348718ejc.6.2023.07.25.07.30.32
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 25 Jul 2023 07:30:33 -0700 (PDT)
Message-ID: <6a177bb3-0ee4-f453-695b-d9bdd441aa2c@blackwall.org>
Date:   Tue, 25 Jul 2023 17:30:31 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.5.0
Subject: Re: [PATCH v2] rtnetlink: let rtnl_bridge_setlink checks
 IFLA_BRIDGE_MODE length
To:     Lin Ma <linma@zju.edu.cn>, davem@davemloft.net,
        edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
        idosch@nvidia.com, lucien.xin@gmail.com, liuhangbin@gmail.com,
        edwin.peer@broadcom.com, jiri@resnulli.us,
        md.fahad.iqbal.polash@intel.com, anirudh.venkataramanan@intel.com,
        jeffrey.t.kirsher@intel.com, neerav.parikh@intel.com,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org
References: <20230725055706.498774-1-linma@zju.edu.cn>
Content-Language: en-US
From:   Nikolay Aleksandrov <razor@blackwall.org>
In-Reply-To: <20230725055706.498774-1-linma@zju.edu.cn>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,
        T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 7/25/23 08:57, Lin Ma wrote:
> There are totally 9 ndo_bridge_setlink handlers in the current kernel,
> which are 1) bnxt_bridge_setlink, 2) be_ndo_bridge_setlink 3)
> i40e_ndo_bridge_setlink 4) ice_bridge_setlink 5)
> ixgbe_ndo_bridge_setlink 6) mlx5e_bridge_setlink 7)
> nfp_net_bridge_setlink 8) qeth_l2_bridge_setlink 9) br_setlink.
> 
> By investigating the code, we find that 1-7 parse and use nlattr
> IFLA_BRIDGE_MODE but 3 and 4 forget to do the nla_len check. This can
> lead to an out-of-attribute read and allow a malformed nlattr (e.g.,
> length 0) to be viewed as a 2 byte integer.
> 
> To avoid such issues, also for other ndo_bridge_setlink handlers in the
> future. This patch adds the nla_len check in rtnl_bridge_setlink and
> does an early error return if length mismatches. To make it works, the
> break is removed from the parsing for IFLA_BRIDGE_FLAGS to make sure
> this nla_for_each_nested iterates every attribute.
> 
> Fixes: b1edc14a3fbf ("ice: Implement ice_bridge_getlink and ice_bridge_setlink")
> Fixes: 51616018dd1b ("i40e: Add support for getlink, setlink ndo ops")
> Suggested-by: Jakub Kicinski <kuba@kernel.org>
> Signed-off-by: Lin Ma <linma@zju.edu.cn>
> ---
> V1 -> V2: removes the break in parsing for IFLA_BRIDGE_FLAGS suggested
>            by Hangbin Liu <liuhangbin@gmail.com>
> 
>   net/core/rtnetlink.c | 8 ++++++--
>   1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index 3ad4e030846d..aef25aa5cf1d 100644
> --- a/net/core/rtnetlink.c
> +++ b/net/core/rtnetlink.c
> @@ -5140,13 +5140,17 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
>   	br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC);
>   	if (br_spec) {
>   		nla_for_each_nested(attr, br_spec, rem) {
> -			if (nla_type(attr) == IFLA_BRIDGE_FLAGS) {
> +			if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !have_flags) {
>   				if (nla_len(attr) < sizeof(flags))
>   					return -EINVAL;
>   
>   				have_flags = true;
>   				flags = nla_get_u16(attr);
> -				break;
> +			}
> +
> +			if (nla_type(attr) == IFLA_BRIDGE_MODE) {
> +				if (nla_len(attr) < sizeof(u16))
> +					return -EINVAL;
>   			}
>   		}
>   	}

Patch looks good now, you should probably remove the extra checks done
by each driver that are now unnecessary (net-next material). As Hangbin
commented you should target this fix at -net, with that:

Acked-by: Nikolay Aleksandrov <razor@blackwall.org>